Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

bye bye messages from ssh attempts

Posted on 2009-04-11
10
Medium Priority
?
1,346 Views
Last Modified: 2012-05-06
Hi All,

This is really just out of curiosity, I get loads of messages which look something like;
   Received disconnect from 129.1.64.81: 11: Bye Bye

Now I'm happy I'm OK and I have denyhosts enabled and secure passwords etc etc
I was wondering what is used to generate the "Bye Bye" message...

Anyone know?
0
Comment
Question by:jools
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 9

Expert Comment

by:tl121000
ID: 24122235
These as you know are hacking attempts, since SSH is a well known port (22).
you can tighten your firewall to allow only valid users
or
check this out...
http://www.it-slav.net/blogs/?p=183
 
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1000 total points
ID: 24122314
sadly, its pretty common - one of the "common currency" ssh haxxor scripts uses that disconnect string, and usually tries to log in as guest/guest or test/test before trying a brute force attack.

Each entry should *also* have a number in square brackets, which is the process ID - once you see the byebye, you can use that number with grep to locate any other records in the log for the same process ID - its also worth grepping on the IP address given, to see if there are any other threads that share that IP.

problematic lines will be something like "failed password" - showing attempts to log in.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24122351
If you do not have the rights to configure your FW, you can also configure the hosts.allow file to minimize these occurences...
 
Please refer to these articles and threads to figure out the best way to resolve your problem (or at least minimize it).
http://closedsrc.org/_static/dn-articles/hosts_allow.html
http://lists.freebsd.org/pipermail/freebsd-questions/2006-May/122583.html
 
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 24122384
really, its just background noise - I did a bit of checking, and of the three scripts I could find that left this trace in the log, they did so by use of a freeware ssh library called "libssh" (logically enough) - for which this is the default disconnect string.

if you *really* want security from ssh, disallow password logins entirely and require use of a client rsa or dsa key to gain access.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24125813
DaveHowe,
I agree with you about background noise, but if there is a particular IP address that is always attempting...  why not block it out completely and minimize a potential  hacking oppurtunity all together.
T
 
0
 
LVL 19

Author Comment

by:jools
ID: 24126855
Thanks Dave,

So if the message is logged as bye bye I can almost guarantee it is a hack attempt by someone using a "haxxor script" rather than someone making a mistake and guessing the address wrong.

Thats great.... I've been hit a lot by the ip address above which seems to belong to an educational establishment in Ohio USA. I may, if it continues, get in touch with their abuse account to see if they can have a word in the offenders shell-like or perhaps shut down the offending server if it's been compromised.

As I said before, I'm happy my setup is secure, I just wondered what generated the Bye Bye message in the logs.
0
 
LVL 19

Author Comment

by:jools
ID: 24126886
Dave,

You mentioned in http:#a24122384 you found three scripts, do you have the names, I'd like to do a bit more digging around.

I've been logging the connections using wireshark and netcat.

0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24127055
one was from 'haita team'  -  sshf.c - and another was sshbrute.c from 'lizard', but which credits haita team for some code. the third was a scanning module for metasploit, but as I say, the commonality is use of http://0xbadc0de.be/wiki/ (not to be confused with http://www.libssh2.org/ which has a similar name)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24127242
this would appear to be applicable too:
http://it.slashdot.org/article.pl?sid=09/04/12/2110257
0
 
LVL 19

Author Closing Comment

by:jools
ID: 31569157
Thanks Dave, all the  comments have been most helpful
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question