Some machine scanned you for a well-known SSH bug. Probably his machine is infected, too and he doesn't even know what his machine is doing. Anyway, to secure your SSH the first question should be: Do you need it? If you do, can you specifiy certain fixed IPs or at least domains from which you'll need it? If so, go into your /etc/hosts.allow and add the line sshd: .domain.de 192.168.0. or whatever domains/netmasks you want there. Note this will only work if the OpenSSH has been compiled with-tcp-wrappers. Since we've compiled our own, I don't know if the SuSE one comes preconfigured with it, but I'd assume it does. Next thing would be to change your /etc/hosts.deny to read: ALL:ALL This should be standard. No one should be allowed access to anything if you do not explicitly approve it via hosts.allow. Note, that this affects each and every software running via inetd or with tcpwrappers. For example telnet (I hope you're not running it!), popper, timeserver, finger, etc. Most of them you can disable anyway. What else can you do? Go into your sshd_config (not ssh_config! This would be the client!) and change the line Protocol 2,1 to read Protocol 2. You don't want your SSH daemon to fall back to SSH1 behaviour. You might also want to set PermitRootLogin to No. There is no real reason to keep it on the default of "Yes". Why should you do this? A hacker now would have to break into another account before he has a chance to get root-access. He can't bruteforce your root-Account via SSH this way. Does it hurt you to do this? No. you can login with your account and then switch to root. No big deal. :) Now similiar Log Entries will still show up (but including "Connection refused"). You won't have to worry about those. Hope I didn't forget anything. with kind regards, Roman Doerr Network Engineer Tel. +49 30 767151-14 -- tro:net GmbH Berlin Network & New Media Solutions Raumerstr. 22 10437 Berlin Tel. +49 30 767151-0 Fax +49 30 767151-13 Web www.tro.net -----Ursprungliche Nachricht----- Von: Leo Rivas [mailto:leorivas@yahoo.com] Gesendet: Mittwoch, 30. Januar 2002 14:40 An: Suse Security Betreff: [suse-security] What should i expect from this messages? Hi all This is the first time i put a suse server to the internet and it is beginning to scare me the the lot of logs and http requests (being not a public server), from unknown ip's, following an advice from John Andersen (thanks!), i have updated ssh to OpenSSH_2.9.9p2 (downloaded the rom from the ftp update for suse 7.2), then, but still have many logs like this: Jan 30 03:46:54 linux sshd[24339]: Did not receive identification string from ::ffff:200.68.47.114. Jan 30 04:22:22 linux sshd[24400]: Bad protocol version identification '.' from ::ffff:200.68.47.114 It is obvious that someone scanned the net and found my ssh running, and is trying something, obviously he taken note of my ip and may try and try to hack me isnt he? How do I secure this? , ssh is on its defaults yet cause i dont understand many of the options in /etc/ssh/ssh.conf and im afraid 'he' may find a hole in there, i have read some docs, but found more about login methodes than securing the server itself, give me clues, please. Thanks in advance Leo _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com