blocking false ssh users with ossec

txm123 · 07-31-2007, 02:26 AM

Hello,

I have two questions.

My ssh port is 22. But I'm getting these emails from ossec which indicate ssh connection to funky ports

Code:

Jul 30 09:42:40 ns1 sshd[3937]: Invalid user adauto from 200.140.143.10
Jul 30 09:42:40 ns1 sshd[3936]: Invalid user frida from 200.140.143.10
Jul 30 09:42:11 ns1 sshd[3932]: Failed password for invalid user fuad from 200.140.143.10 port 56565 ssh2
Jul 30 09:42:08 ns1 sshd[3932]: Invalid user fuad from 200.140.143.10
Jul 30 09:41:59 ns1 sshd[3930]: Failed password for invalid user frida from 200.140.143.10 port 56494 ssh2
Jul 30 09:41:57 ns1 sshd[3930]: Invalid user frida from 200.140.143.10
Jul 30 09:41:54 ns1 sshd[3928]: Failed password for invalid user frida from 200.140.143.10 port 56406 ssh2

I have only a couple of handful ports open by APF and those listed are not. So my first question is how could this be?

My second question is, how can I add the IPs of these attackers to host.deny with ossec automatically?

zhangmaike · 07-31-2007, 03:20 AM

For your first question: those ports are where those users are connecting FROM, not TO. Your ssh daemon only listens on port 22, but ssh clients may connect from any port. This is safe and expected - it's just how TCP works.

Adding hosts to hosts.deny is pretty simple, but I don't know anything about ossec or how to get it to do it for you.

Poetics · 07-31-2007, 02:51 PM

As a (psuedo-random) aside, if you change your incoming SSH port, you'll have fewer login attacks by order of magnitudes. I bumped mine from 22 to 28 (for example) and instead of registering ~500 a day, I get 1 a week.