Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
AW: [suse-security] What should i expect from this messages?
  • From: "Roman Doerr" <rdo@xxxxxxx>
  • Date: Wed, 30 Jan 2002 14:05:14 +0100
  • Message-id: <HLEAIMMJIOFPMBCKDNPMCEFGCJAA.rdo@xxxxxxx>
Some machine scanned you for a well-known SSH bug.
Probably his machine is infected, too and he doesn't
even know what his machine is doing.

Anyway, to secure your SSH the first question should be:
Do you need it? If you do, can you specifiy certain fixed
IPs or at least domains from which you'll need it?
If so, go into your /etc/hosts.allow and add the line
sshd: .domain.de 192.168.0.
or whatever domains/netmasks you want there.

Note this will only work if the OpenSSH has been compiled
with-tcp-wrappers. Since we've compiled our own, I don't
know if the SuSE one comes preconfigured with it, but I'd
assume it does.

Next thing would be to change your /etc/hosts.deny to read:
ALL:ALL
This should be standard. No one should be allowed access to
anything if you do not explicitly approve it via hosts.allow.
Note, that this affects each and every software running via
inetd or with tcpwrappers. For example telnet (I hope you're
not running it!), popper, timeserver, finger, etc.
Most of them you can disable anyway.

What else can you do?
Go into your sshd_config (not ssh_config! This would be the
client!) and change the line Protocol 2,1 to read Protocol 2.
You don't want your SSH daemon to fall back to SSH1 behaviour.

You might also want to set PermitRootLogin to No.
There is no real reason to keep it on the default of "Yes".
Why should you do this?
A hacker now would have to break into another account before
he has a chance to get root-access. He can't bruteforce your
root-Account via SSH this way.
Does it hurt you to do this?
No. you can login with your account and then switch to root.
No big deal. :)

Now similiar Log Entries will still show up (but including
"Connection refused"). You won't have to worry about those.

Hope I didn't forget anything.

with kind regards,

Roman Doerr
Network Engineer

Tel. +49 30 767151-14
--
tro:net GmbH Berlin
Network & New Media Solutions
Raumerstr. 22
10437 Berlin
Tel. +49 30 767151-0
Fax +49 30 767151-13
Web www.tro.net

-----Ursprungliche Nachricht-----
Von: Leo Rivas [mailto:leorivas@xxxxxxxxx]
Gesendet: Mittwoch, 30. Januar 2002 14:40
An: Suse Security
Betreff: [suse-security] What should i expect from this messages?


Hi all
This is the first time i put a suse server to the internet and it is
beginning to scare me the the lot of logs and http requests (being not a
public server), from unknown ip's, following an advice from John
Andersen (thanks!), i have updated ssh to OpenSSH_2.9.9p2 (downloaded
the rom from the ftp update for suse 7.2), then, but still have many
logs like this:

Jan 30 03:46:54 linux sshd[24339]: Did not receive identification string
from ::ffff:200.68.47.114.

Jan 30 04:22:22 linux sshd[24400]: Bad protocol version identification
'.' from ::ffff:200.68.47.114

It is obvious that someone scanned the net and found my ssh running, and
is trying something, obviously he taken note of my ip and may try and
try to hack me isnt he?

How do I secure this? , ssh is on its defaults yet cause i dont
understand many of the options in /etc/ssh/ssh.conf and im afraid 'he'
may find a hole in there, i have read some docs, but found more about
login methodes than securing the server itself, give me clues, please.
Thanks in advance
Leo

_________________________________________________________ Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx


< Previous Next >
Follow Ups
References