LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-14-2002, 09:31 AM   #1
ifm
Member
 
Registered: Jun 2002
Location: USA
Distribution: RH7.3 & YDL2.1
Posts: 124

Rep: Reputation: 15
Exclamation Is this a security threat?


RH 7.3 with sshd running behind firewall where remote connections to ssh are allowed input/output:

My /var/log/secure file has the following:

Jun 13 16:28:01 my.domain.ip sshd[22432]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:07 my.domain.ip sshd[22433]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:13 my.domain.ip sshd[22434]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:22 my.domain.ip sshd[22435]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:28:46 my.domain.ip sshd[22436]: Did not receive identification string from some.unknown.remote.ip
Jun 13 16:29:37 my.domain.ip sshd[22437]: Did not receive identification string from some.unknown.remote.ip


Over the past two days, something like this has shown up from different IP addresses. Is this a BAD thing???
 
Old 06-14-2002, 10:26 AM   #2
kahuna
Member
 
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78

Rep: Reputation: 15
Probably a port scan, since port scans do not send the ssh version identification string. Also could be a script kiddie scan looking for vulnerable ssh versions due to the same reason as above.

If I were you I would give the IP block owner a heads up about what their clients and/or machines are doing to your network.
 
Old 06-14-2002, 10:35 AM   #3
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
You should check every now and then and if the same ip is showing up a lot you may have someone trying something.

The thing is your password is required to login. If you have a fairly strong password then the only way for someone to get it would be for them to be between you and the server, and they would actually send you a certificate that is posing to be from your server, and then they would be able to get your password when you send it to them.

Once you have the certificate from the server you should not need to get it again, so you should just get a login prompt or a password prompt if you send you login name as you login. No one can get your password because it is encrypted before you login.


Always login first with a normal user, then if you need to su - to root.


When someone actually attempts to login you will see a login error every time they use an invalid password or name. These are the type of log entries to worry about. But I would still not worry since it would take many thousands of years to guess your password.

The logs are probably from computers scanning on the ssh port and are pretty normal if you are on the internet.

Last edited by DavidPhillips; 06-14-2002 at 10:39 AM.
 
Old 06-14-2002, 10:58 AM   #4
ifm
Member
 
Registered: Jun 2002
Location: USA
Distribution: RH7.3 & YDL2.1
Posts: 124

Original Poster
Rep: Reputation: 15
Smile Thanks guys

Ok, thats what I was thinking ( I did my own port scan, and the same type of line showed up in the log file from my own IP). What caught me offgaurd was that the same IP did a port scan 6 times in a row (within a minute). I had never seen that before. Scared me.

For my server(s) I set sshd to not allow root login, so I ALWAYS have to su in after I login. I also never do anything with my own user account, so my user's bash history is always "su exit su exit su exit" hehe etc.

Thatnks for clearing up the certificate question when logging into the machine. Yes, I have only seen it once, the first time I connected to the machine after setting up the machine to answer remotely with sshd only (I turned off telnet, even put a SENSOR on the telnet port on my YDL2.1 machine... the RH7.3 machine just has a firewall to prevent telnet port).

I also dont set the RSA between my user and the server. I dont trust that... I only set that up from server to server talking for rsync... and its on a nonprivledged user who only has write privs to a single directory on the destination server (backup dir).

Thank you for your words, it helps me clarify things hearing it from others instead of just pondering it myself =)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
corba threat rohit-sk Linux - General 1 07-28-2005 04:59 AM
Security threat or automated system - pam_unix?? OmnipotentOscar Linux - Newbie 3 02-23-2005 05:23 PM
Limewire a security threat? JCdude2525 Linux - Security 2 02-06-2005 09:25 AM
Ettercap 0.7.0 is it threat? dominant Linux - Security 1 08-13-2004 10:31 AM
X2 the threat under linux? Braveheart1980 Linux - Games 6 03-22-2004 03:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration