On 01/05/2018 09:50 AM, gumb wrote:
ssh newbie question:
I only know the very basics of ssh (and next to nothing useful of Linux security). When I access a remote openSUSE machine using a private key previously exchanged, as opposed to a basic password (note: the remote PC has a very 'standard' configuration and its firewall is activated), I usually check the system log in YaST and apply a filter 'ssh' starting from my previous date of access.
On this occasion I see something alien in the log. It appears to be just a failed attempt at unauthorized access. There are two entries from two separate dates. Example:
kernel │SFW2-INext-ACC-TCP IN=eth0 OUT= MAC={big-long-mac-address} SRC=5.8.18.70 DST=192.168.1.64 LEN=52 TOS=0x02 sshd[4243] |Bad protocol version identification '\003' from 5.8.18.70 port 526
I did a search for this IP address and see this page: https://www.abuseipdb.com/check/5.8.18.70 which has several recent abuse reports.
Without getting into complex nerdy affairs, what should my next simple step be? I assume I should only be concerned if I see a line suggesting a new ssh session was opened by somebody other than me? Or is there anything else I should keep a lookout for in future?
gumb
If you see a line suggesting a new/unknown ssh connection was opened you should be concerned. But so far you've posted nothing that suggests that has happened. Yes, something tried to connect, but it did not succeed. Script-kiddies gonna script!! You can prevent them from filling your logs by moving your ssh port to some unusual port. Its no more secure, just fewer attempts for your sshd to fend off (because script kiddies seldom scan oddball port numbers like 38749 or some such. And its wise to only allow private key as you currently do. You've already taken the best step. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org