Multiple high port ssh connections from strange host?
I believe this indicates someone is trying to break into my system. Is there a way to deal with this kind of attack? Other than turning off ssh, that is. #netstat | grep ssh tcp 0 0 myserver.mydomain:ssh mybox.mydomain:57817 ESTABLISHED tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38628 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37353 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38442 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38990 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38257 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37178 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37533 TIME_WAIT
Steven T. Hatton wrote:
I believe this indicates someone is trying to break into my system. Is there a way to deal with this kind of attack? Other than turning off ssh, that is.
This has been discussed in the past - I've seen several different solutions such as: 1) banning attackers by IP-address after a sufficient number of failed login attempts.. Essentially scanning /var/log/messages and doing iptable updates (or hosts.deny updates). 2) having iptables do some magic to count number of connects, and disallowing after a threshold is reached. /Per Jessen, Zürich -- http://www.spamchek.com/ - managed anti-spam and anti-virus solution. Let us analyse your spam- and virus-threat - up to 2 months for free.
On 2/6/06, Steven T. Hatton <hattons@globalsymmetry.com> wrote:
I believe this indicates someone is trying to break into my system. Is there a way to deal with this kind of attack? Other than turning off ssh, that is.
#netstat | grep ssh tcp 0 0 myserver.mydomain:ssh mybox.mydomain:57817 ESTABLISHED tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38628 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37353 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38442 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38990 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:38257 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37178 TIME_WAIT tcp 0 0 myserver.mydomain:ssh 211.146.113.178:37533 TIME_WAIT
A scenario where I've seen this is the so-called "crc32 compensation" attack (which is quite old) where the attacker tries to exploit an integer overflow. I suppose you're running an OpenSSH server or some commercial stuff like the one from SSH Communications Security. Only servers still running protocol version 1 are vulnerable. No need to panic of you're running version 2. Just update your iptables to block suspicious IPs. \Steve -- Steve Graegert <graegerts@gmail.com> Software Consultant {C/C++ && Java && .NET} Office: +49 9131 7123988 Mobile: +49 1520 9289212
On Monday 06 February 2006 10:22, Steven T. Hatton wrote:
I believe this indicates someone is trying to break into my system. Is there a way to deal with this kind of attack? Other than turning off ssh, that is.
participants (4)
-
Per Jessen -
Ron Joffe -
Steve Graegert -
Steven T. Hatton