LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-31-2007, 02:26 AM   #1
txm123
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Rep: Reputation: 15
blocking false ssh users with ossec


Hello,

I have two questions.

My ssh port is 22. But I'm getting these emails from ossec which indicate ssh connection to funky ports

Code:
Jul 30 09:42:40 ns1 sshd[3937]: Invalid user adauto from 200.140.143.10
Jul 30 09:42:40 ns1 sshd[3936]: Invalid user frida from 200.140.143.10
Jul 30 09:42:11 ns1 sshd[3932]: Failed password for invalid user fuad from 200.140.143.10 port 56565 ssh2
Jul 30 09:42:08 ns1 sshd[3932]: Invalid user fuad from 200.140.143.10
Jul 30 09:41:59 ns1 sshd[3930]: Failed password for invalid user frida from 200.140.143.10 port 56494 ssh2
Jul 30 09:41:57 ns1 sshd[3930]: Invalid user frida from 200.140.143.10
Jul 30 09:41:54 ns1 sshd[3928]: Failed password for invalid user frida from 200.140.143.10 port 56406 ssh2
I have only a couple of handful ports open by APF and those listed are not. So my first question is how could this be?

My second question is, how can I add the IPs of these attackers to host.deny with ossec automatically?

Last edited by txm123; 07-31-2007 at 02:28 AM.
 
Old 07-31-2007, 03:20 AM   #2
zhangmaike
Member
 
Registered: Oct 2004
Distribution: Slackware
Posts: 376

Rep: Reputation: 31
For your first question: those ports are where those users are connecting FROM, not TO. Your ssh daemon only listens on port 22, but ssh clients may connect from any port. This is safe and expected - it's just how TCP works.

Adding hosts to hosts.deny is pretty simple, but I don't know anything about ossec or how to get it to do it for you.
 
Old 07-31-2007, 02:51 PM   #3
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,178

Rep: Reputation: 49
As a (psuedo-random) aside, if you change your incoming SSH port, you'll have fewer login attacks by order of magnitudes. I bumped mine from 22 to 28 (for example) and instead of registering ~500 a day, I get 1 a week.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My APF is blocking users TheRudy Linux - Security 3 01-18-2007 11:01 AM
OSSEC report - is this OKAy? Old_Fogie Linux - Security 7 10-23-2006 06:03 AM
Blocking p2p to the users on my lan tomazN Linux - Networking 4 11-30-2005 06:28 AM
SSH Problem /bin/false ultrix Linux - Security 2 06-17-2005 07:31 AM
SSH is blocking my connections tarballedtux Linux - Security 8 11-01-2002 04:19 PM


All times are GMT -5. The time now is 08:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration