Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
RH 7.3 with sshd running behind firewall where remote connections to ssh are allowed input/output:
My /var/log/secure file has the following:
Jun 13 16:28:01 my.domain.ip sshd[22432]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:07 my.domain.ip sshd[22433]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:13 my.domain.ip sshd[22434]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:22 my.domain.ip sshd[22435]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:46 my.domain.ip sshd[22436]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:29:37 my.domain.ip sshd[22437]: Did not receive identification string from some.unknown.remote.ip
Over the past two days, something like this has shown up from different IP addresses. Is this a BAD thing???
Probably a port scan, since port scans do not send the ssh version identification string. Also could be a script kiddie scan looking for vulnerable ssh versions due to the same reason as above.
If I were you I would give the IP block owner a heads up about what their clients and/or machines are doing to your network.
You should check every now and then and if the same ip is showing up a lot you may have someone trying something.
The thing is your password is required to login. If you have a fairly strong password then the only way for someone to get it would be for them to be between you and the server, and they would actually send you a certificate that is posing to be from your server, and then they would be able to get your password when you send it to them.
Once you have the certificate from the server you should not need to get it again, so you should just get a login prompt or a password prompt if you send you login name as you login. No one can get your password because it is encrypted before you login.
Always login first with a normal user, then if you need to su - to root.
When someone actually attempts to login you will see a login error every time they use an invalid password or name. These are the type of log entries to worry about. But I would still not worry since it would take many thousands of years to guess your password.
The logs are probably from computers scanning on the ssh port and are pretty normal if you are on the internet.
Last edited by DavidPhillips; 06-14-2002 at 10:39 AM.
Ok, thats what I was thinking ( I did my own port scan, and the same type of line showed up in the log file from my own IP). What caught me offgaurd was that the same IP did a port scan 6 times in a row (within a minute). I had never seen that before. Scared me.
For my server(s) I set sshd to not allow root login, so I ALWAYS have to su in after I login. I also never do anything with my own user account, so my user's bash history is always "su exit su exit su exit" hehe etc.
Thatnks for clearing up the certificate question when logging into the machine. Yes, I have only seen it once, the first time I connected to the machine after setting up the machine to answer remotely with sshd only (I turned off telnet, even put a SENSOR on the telnet port on my YDL2.1 machine... the RH7.3 machine just has a firewall to prevent telnet port).
I also dont set the RSA between my user and the server. I dont trust that... I only set that up from server to server talking for rsync... and its on a nonprivledged user who only has write privs to a single directory on the destination server (backup dir).
Thank you for your words, it helps me clarify things hearing it from others instead of just pondering it myself =)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.