SSH login attempts

michaelsanford · 05-02-2005, 04:47 PM

FYI some plugins for nessusd give attack logs that look very similar!

johnnydangerous · 05-02-2005, 11:44 PM

is there any good GUI ssh log alerter? or better to be like "allow login from xxx ?"

javaroast · 05-14-2005, 09:12 PM

After seeing these scans on my systems I began setting up IPTables to allow access to port 22 only to specific IPs. I allow only IP's on our Public subnet and now traffic from outside of the IPs that I have is immediatly droppedl It's as simple as that, and now I have no more of these scans.

If you have dynamic ip you can easily add an allow in iptables by mac address. My home system has a dynamic IP as well and it has been trivial to add access for this system to my ssh hosts.

The solution is simple and secure. In my case I don't need to allow access to unknown hosts for ssh, but that is as it should be. If I need to give a client access to ssh for some reason I add the IP that they will be connecting from. An important part of our security policy is to know who is connecting, allow those who need access and block everything else.

Not news???? Well, I don't have these login attempts any more. The original poster does. I guess that makes this news.

johnnydangerous · 05-15-2005, 03:27 AM

this is not news man! what if you use dynamic ip to connect to your box? there are a couple of solutions like auto-own-RBL, pam_tally, port 35 for example and so on anyone can add (pls do)

johnnydangerous · 05-16-2005, 01:00 AM

version 4.0 of OpenSSH has the option of hashing the known-hosts
database. There is also a patch for OpenSSH 3.9 that does the same
thing. Unfortunately, the option is not turned on by default.

<http://nms.csail.mit.edu/projects/ssh/>
<http://nms.csail.mit.edu/projects/ssh/sshworm.pdf>

The fix:
<http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config>
<http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen>
<http://www.openbsd.org/cgi-bin/cvswe...tfile.c?rev=1.
34&content-type=text/x-cvsweb-markup> or <http://tinyurl.com/8938c>

pwo0123 · 05-21-2005, 02:19 AM

hey guys this might be old new but i recently got alot of ssh login tries and when i got them i usually did a port scan and i found most of the ip's had port 80 open.

just try it your self

http://206.113.8.130/ some unitel companies site, tried like 300 login

http://202.111.185.20/ Asian site

http://211.144.142.150/ another Asian site

i can post the messages if anyone wants to see the logins. but if u ask me, man thats some weird shit.

johnnydangerous · 05-21-2005, 09:14 AM

it's not weird it's commercial shit they can spam/identity theft/check your bank account

Tudor Popescu · 05-30-2005, 10:20 AM

Thank you kindly. This information is very useful for me. Great site! Thanks again!

_________________________________________________________________
Link Removed by Moderator

//Moderator note: Please stop spamming our site.

johnnydangerous · 05-30-2005, 11:37 PM

the Romanian guy is spamming the site!!!!! and this thread kind of lost focus, maybe there's some new thread where the discussion is still ongoin'?

Capt_Caveman · 05-31-2005, 12:45 AM

I've been thinking about trimming this tread down to only the important highlights for awhile now. Maybe that was the death knell.

johnnydangerous · 05-31-2005, 01:25 AM

Capt Caveman: respect!

securehack · 06-13-2005, 08:51 PM

Wow... I wonder how many times my system has been compromised =P (just kidding).

--Abid Kazmi

AAnarchYY · 06-16-2005, 01:18 AM

I've been getting this crap for quite a while, I origionaly just changed the ssh port to a non-standard port but that only fended off some of them. I still came home to a flooded log. I found this program called authfail http://www.bmk.bz/?p=33 that worked great for me. It by default logs 4 failed ssh login attempts from the same ip then puts the ip into iptables -j DROP all realtime. I had to hack the hell out of it to make it work(it read the ip wrong, started kinda crummy, and a few other things, and i made it add the ip to hosts.deny also), but looking at the website it appears that its been updated since i got it so maybe that stuff is fixed. Anyway, it's made my logs a whole lot smaller and keeps people from continualy hammering away at my sshd while allowing real traffic in(even with a few failed logins).

johnnydangerous · 06-16-2005, 12:27 PM

well snort is what you need it can handle real-time drop rules.. have fun with it it's the most comprehensive out there AFAIK

AAnarchYY · 06-16-2005, 05:52 PM

I agree johnny, snort is an excelent IDS with a plethora of configuration options, but thats one of the reasons im not using it right now. I am in the process of setting it up, but i want it quite fine-tuned before i get rid of authfail because at the moment the only crap i get is that garbage on my sshd, the rest is just idle scanning or other benign activity(and probably stuff i dont see because of a few iptables rules i have set).

The only thing authfail does is just watch your log for failed sshd attempts and after a certian (configurable) amount of fails, it adds the ip to iptalbes or wherever you tell it to put it. Considering the nature of this tool and what this thread is about, i think its the most focused tool for this job