On 3/3/21 8:42 AM, Carlos E. R. wrote:
On Wednesday, 2021-03-03 at 08:04 -0800, Lew Wolfgang wrote:
On 3/3/21 3:52 AM, Carlos E. R. wrote:
Mitigations for the future:
- Don't open ssh port 22, use a high port on a strange number (not 50000, for instance).
Changing ports might help a bit, but dedicated hackers can discover moved ports easily.
Absolutely. It is only a matter of time. They have not found mine... :-)
How are you so sure? Maybe they're using an nmap "stealth" scan and know about your open ports? Maybe they just haven't tried to connect yet?
Because an ssh attempt is logged.
grep shd /var/log/messages*z | grep port | egrep -v "192.168" | less
But nmap stealth scans don't leave log entries. I'm sure that someone has swept all your ports without you knowing about it.
The only strange entries are some like this:
<4.6> 2020-03-21T17:05:21.639712+01:00 Isengard sshd 25854 - - Bad protocol version identification '\003' from 194.61.26.163 port 1145 <4.6> 2020-04-07T14:35:53.062798+02:00 Isengard sshd 31626 - - Bad protocol version identification '\003' from 80.89.234.58 port 913
I have no idea what that is.
These are the last:
<4.6> 2021-01-02T02:58:24.470179+01:00 Isengard sshd 6839 - - Did not receive identification string from 194.36.85.126 port 12770 <4.6> 2021-01-05T19:19:46.729422+01:00 Isengard sshd 14602 - - Bad protocol version identification '\003' from 89.248.165.25 port 63861
(all are from Europe, not China ;-) )
Well, that you have any entries at all from sshd means that something is poking at the port it's listening on, right? Maybe these are shodan scans? Another thing you might be able to do is use the "AllowUsers" parameter in /etc/ssh/sshd_config. Any login attempts to users not listed are rejected by sshd. You can even list an IP address, as in "wolfgang@w.x.t.z", or even "wolfgang@w.x.y.0/24" as examples. I just checked and I've got 942 entries like the following in the past four days, most from different IP's. "sshd[6236]: User root from 220.248.95.178 not allowed because not listed in AllowUsers" This was from China, btw. Regards, Lew