On 2/6/06, Steven T. Hatton <hattons@globalsymmetry.com> wrote:
I believe this indicates someone is trying to break into my system. Is there a way to deal with this kind of attack? Other than turning off ssh, that is.
#netstat | grep ssh tcp 0 0 myserver.mydomain:ssh mybox.mydomain:57817 ESTABLISHED tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38628 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37353 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38442 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38990 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38257 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37178 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37533 TIME_WAIT
A scenario where I've seen this is the so-called "crc32 compensation" attack (which is quite old) where the attacker tries to exploit an integer overflow. I suppose you're running an OpenSSH server or some commercial stuff like the one from SSH Communications Security. Only servers still running protocol version 1 are vulnerable. No need to panic of you're running version 2. Just update your iptables to block suspicious IPs. \Steve -- Steve Graegert <graegerts@gmail.com> Software Consultant {C/C++ && Java && .NET} Office: +49 9131 7123988 Mobile: +49 1520 9289212