-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2021-03-03 at 08:04 -0800, Lew Wolfgang wrote:
On 3/3/21 3:52 AM, Carlos E. R. wrote:
Mitigations for the future:
- Don't open ssh port 22, use a high port on a strange number (not 50000, for instance).
Changing ports might help a bit, but dedicated hackers can discover moved ports easily.
Absolutely. It is only a matter of time.
They have not found mine... :-)
How are you so sure? Maybe they're using an nmap "stealth" scan and know about your open ports? Maybe they just haven't tried to connect yet?
Because an ssh attempt is logged. grep shd /var/log/messages*z | grep port | egrep -v "192.168" | less The only strange entries are some like this: <4.6> 2020-03-07T09:39:57.547577+01:00 Isengard sshd 6958 - - Bad protocol version identification '\003' from 45.148.121.4 port 63970 <4.6> 2020-03-07T11:48:20.709325+01:00 Isengard sshd 10492 - - Bad protocol version identification '\003' from 45.148.121.4 port 63187 <4.6> 2020-03-07T15:21:02.069546+01:00 Isengard sshd 16327 - - Bad protocol version identification '\003' from 195.54.166.115 port 63442 <4.6> 2020-03-07T15:36:13.889905+01:00 Isengard sshd 16744 - - Bad protocol version identification '\003' from 195.54.166.115 port 62613 <4.6> 2020-03-07T15:49:21.625882+01:00 Isengard sshd 17100 - - Bad protocol version identification '\003' from 195.54.166.115 port 63678 <4.6> 2020-03-21T17:05:21.639712+01:00 Isengard sshd 25854 - - Bad protocol version identification '\003' from 194.61.26.163 port 1145 <4.6> 2020-04-07T14:35:53.062798+02:00 Isengard sshd 31626 - - Bad protocol version identification '\003' from 80.89.234.58 port 913 I have no idea what that is. These are the last: <4.6> 2021-01-02T02:58:24.470179+01:00 Isengard sshd 6839 - - Did not receive identification string from 194.36.85.126 port 12770 <4.6> 2021-01-05T19:19:46.729422+01:00 Isengard sshd 14602 - - Bad protocol version identification '\003' from 89.248.165.25 port 63861 (all are from Europe, not China ;-) ) - -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYD+8cRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVx2cAnj7XdbQPH+HNCzIwk96s mqQn3SkzAKCRqeqnoBwlQ8cLTZxDR3fmwWGJ+w== =p3yQ -----END PGP SIGNATURE-----