sshd reporting

antken · 06-08-2003, 07:52 AM

hello,

i just got a load of strange entry's in my syslog for sshd they say:

Did not receive identification string from x.x.x.x

( where x.x.x.x is an ip address )

does anyone have an idea of what this means?

thanks
antken

pk21 · 06-08-2003, 08:20 AM

I think someone is trying to find an old, insecure version of SSH they
can exploit.

antken · 06-08-2003, 09:05 AM

ah i see,

from what i can tell this has been attempted from three different addresses.

is there any way of telling what sort of exploit they are trying from what syslog has said?

thanks
antken

pk21 · 06-08-2003, 09:31 AM

As far as i know there aren't that many exploits for ssh. I found somewhere in a forum that it could be " SSH CRC-32 Compensation Attack Detector Vulnerability "

Check http://www.securiteam.com/exploits/5NP070A3QE.html for the exploit.

unSpawn · 06-08-2003, 09:33 AM

I think someone is trying to find an old, insecure version of SSH they can exploit.
If I break off a connection with any client, say netcat, this will be in the logs. At a minimum you could say someone is banner grabbing, because you cannot determine what they are looking for.

is there any way of telling what sort of exploit they are trying from what syslog has said?
No, you can't. Install Snort.

Crashed_Again · 06-08-2003, 09:35 AM

The only issue I've found with SSH is when I run nessus it says to use protocol 2 rather then protocol 1. It seems protocol 1 is vulnerable in some way. Its very easy to change in the sshd_config file.

pk21 · 06-08-2003, 09:36 AM

If I break off a connection with any client, say netcat, this will be in the logs.

I thought so to, but i tested it on my machine and it didnt apear in the logs. I even set my level in my sshd config to DEBUG.

unSpawn · 06-08-2003, 09:44 AM

The only issue I've found with SSH is when I run nessus it says to use protocol 2 rather then protocol 1. It seems protocol 1 is vulnerable in some way. Its very easy to change in the sshd_config file.
NEVER run protocol v1.

I thought so to, but i tested it on my machine and it didnt apear in the logs.
What sshd version/syslog setup?
I'm running 3.4p1 at loglevel info and direct <facility>.* to the log.

Btw, if you run sshd and do not want to allow access to it for everyone, restrict access for Allow/DenyGroups/Users in sshd_config and IP addresses/ranges in tcp wrappers and the firewall.

pk21 · 06-08-2003, 10:13 AM

What sshd version/syslog setup?

[root@lnxsrvr root]# rpm -qa|grep ssh
openssh-askpass-3.5p1-6
openssh-clients-3.5p1-6
openssh-3.5p1-6
openssh-askpass-gnome-3.5p1-6
openssh-server-3.5p1-6

cat /etc/syslog.conf |grep messages
*.* /var/log/messages

my /var/log/messages doesn't report anything.