LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-08-2003, 07:52 AM   #1
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
sshd reporting


hello,

i just got a load of strange entry's in my syslog for sshd they say:

Did not receive identification string from x.x.x.x

( where x.x.x.x is an ip address )

does anyone have an idea of what this means?

thanks
antken
 
Old 06-08-2003, 08:20 AM   #2
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
I think someone is trying to find an old, insecure version of SSH they
can exploit.
 
Old 06-08-2003, 09:05 AM   #3
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Original Poster
Rep: Reputation: 30
ah i see,


from what i can tell this has been attempted from three different addresses.

is there any way of telling what sort of exploit they are trying from what syslog has said?

thanks
antken
 
Old 06-08-2003, 09:31 AM   #4
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
As far as i know there aren't that many exploits for ssh. I found somewhere in a forum that it could be " SSH CRC-32 Compensation Attack Detector Vulnerability "

Check http://www.securiteam.com/exploits/5NP070A3QE.html for the exploit.
 
Old 06-08-2003, 09:33 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
I think someone is trying to find an old, insecure version of SSH they can exploit.
If I break off a connection with any client, say netcat, this will be in the logs. At a minimum you could say someone is banner grabbing, because you cannot determine what they are looking for.

is there any way of telling what sort of exploit they are trying from what syslog has said?
No, you can't. Install Snort.
 
Old 06-08-2003, 09:35 AM   #6
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
The only issue I've found with SSH is when I run nessus it says to use protocol 2 rather then protocol 1. It seems protocol 1 is vulnerable in some way. Its very easy to change in the sshd_config file.
 
Old 06-08-2003, 09:36 AM   #7
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
If I break off a connection with any client, say netcat, this will be in the logs.

I thought so to, but i tested it on my machine and it didnt apear in the logs. I even set my level in my sshd config to DEBUG.
 
Old 06-08-2003, 09:44 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
The only issue I've found with SSH is when I run nessus it says to use protocol 2 rather then protocol 1. It seems protocol 1 is vulnerable in some way. Its very easy to change in the sshd_config file.
NEVER run protocol v1.

I thought so to, but i tested it on my machine and it didnt apear in the logs.
What sshd version/syslog setup?
I'm running 3.4p1 at loglevel info and direct <facility>.* to the log.


Btw, if you run sshd and do not want to allow access to it for everyone, restrict access for Allow/DenyGroups/Users in sshd_config and IP addresses/ranges in tcp wrappers and the firewall.
 
Old 06-08-2003, 10:13 AM   #9
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
What sshd version/syslog setup?

[root@lnxsrvr root]# rpm -qa|grep ssh
openssh-askpass-3.5p1-6
openssh-clients-3.5p1-6
openssh-3.5p1-6
openssh-askpass-gnome-3.5p1-6
openssh-server-3.5p1-6

cat /etc/syslog.conf |grep messages
*.* /var/log/messages

my /var/log/messages doesn't report anything.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
df reporting incorrectly bigtl Linux - General 2 06-23-2005 05:47 AM
Error reporting in c george_mercury Programming 2 11-20-2004 06:22 PM
version reporting jag7720 Linux - Security 1 07-13-2004 05:42 AM
Reporting IP adress eclapton1 Programming 1 06-27-2004 11:34 PM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 12:17 PM


All times are GMT -5. The time now is 01:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration