Mailinglist Archive: opensuse-security (376 mails)
| < Previous | Next > |
log of ssh attack
- From: Fabio De Francesco <fmdf@xxxxxxxxxx>
- Date: Mon, 10 Mar 2003 16:02:01 +0100
- Message-id: <200303101602.01904.fmdf@xxxxxxxxxx>
Can someone explain how I can block these attempts to negotiate ssh session
from the outside of my LAN?
That is, I read "connection refused" in the following log (/var/log/messages),
but only from the second attempt. What can we say about the first one from
62.211.51.30? It seems to have been accepted because I don't read any
"connection refused".
In any case my firewall ACCEPT these connection that I want to block.
Is "connection refused" the answer from TCPWrapper? And why just on the second
attempt?
I would like to append a rule is SuSE-Firewall2 to block this attempts.
I would appreciate any help, thank you.
Fabio De Francesco
Feb 22 20:33:00 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=62.211.51.30 DST=xx.xx.xx.xx LEN=40 TOS=0x10 PREC=0x00 TTL=119 ID=47416
PROTO=TCP SPT=63147 DPT=22 WINDOW=53672 RES=0x00 SYN URGP=0
Feb 22 20:33:01 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55846
DF PROTO=TCP SPT=3372 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Feb 22 20:33:02 myhost sshd[4686]: refused connect from
adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
Feb 22 20:33:06 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55854
DF PROTO=TCP SPT=3373 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Feb 22 20:33:07 myhost sshd[4687]: refused connect from
adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
Feb 22 20:33:12 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55872
DF PROTO=TCP SPT=3374 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Feb 22 20:33:12 myhost sshd[4688]: refused connect from
adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
from the outside of my LAN?
That is, I read "connection refused" in the following log (/var/log/messages),
but only from the second attempt. What can we say about the first one from
62.211.51.30? It seems to have been accepted because I don't read any
"connection refused".
In any case my firewall ACCEPT these connection that I want to block.
Is "connection refused" the answer from TCPWrapper? And why just on the second
attempt?
I would like to append a rule is SuSE-Firewall2 to block this attempts.
I would appreciate any help, thank you.
Fabio De Francesco
Feb 22 20:33:00 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=62.211.51.30 DST=xx.xx.xx.xx LEN=40 TOS=0x10 PREC=0x00 TTL=119 ID=47416
PROTO=TCP SPT=63147 DPT=22 WINDOW=53672 RES=0x00 SYN URGP=0
Feb 22 20:33:01 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55846
DF PROTO=TCP SPT=3372 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Feb 22 20:33:02 myhost sshd[4686]: refused connect from
adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
Feb 22 20:33:06 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55854
DF PROTO=TCP SPT=3373 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Feb 22 20:33:07 myhost sshd[4687]: refused connect from
adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
Feb 22 20:33:12 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC=
SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55872
DF PROTO=TCP SPT=3374 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Feb 22 20:33:12 myhost sshd[4688]: refused connect from
adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
| < Previous | Next > |