On 2/6/06, Steven T. Hatton
I believe this indicates someone is trying to break into my system. Is there a way to deal with this kind of attack? Other than turning off ssh, that is.
#netstat | grep ssh tcp 0 0 myserver.mydomain:ssh mybox.mydomain:57817 ESTABLISHED tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38628 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37353 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38442 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38990 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38257 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37178 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37533 TIME_WAIT
A scenario where I've seen this is the so-called "crc32 compensation"
attack (which is quite old) where the attacker tries to exploit an
integer overflow. I suppose you're running an OpenSSH server or some
commercial stuff like the one from SSH Communications Security. Only
servers still running protocol version 1 are vulnerable. No need to
panic of you're running version 2. Just update your iptables to block
suspicious IPs.
\Steve
--
Steve Graegert