[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

E Frank Ball frankb at frankb.us
Mon Oct 4 14:11:55 PDT 2004 

On Mon, Oct 04, 2004 at 12:40:58PM -0700, Dave Sisley wrote:
} 
} I'm (sadly) pretty clueless when it comes to security, and I've been
} thinking a long while that it's time I get off the pot and learn some
} more about it.  I'm _really_ curious now, because my logwatch reports
} (which I can barely understand) indicate that there have been numerous
} attempts by "outsiders" to log into my box via ssh (see below for
} excerpts from a recent logwatch report).  
} 
} Here's my basic setup:
} 
} ssh _is_ running, with the following restrictions in the sshd config
} file:
} 
}     PermitRootLogin no
}     AllowUsers <my user name>
}     X11Forwarding no
... 
} I have hosts.allow set so that sshd will accept a login from anywhere
} (sshd : ALL), but the sshd config file will only allow a login with my
} user name.  Is there more I should do?


If possible in sshd_config:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no

This will only allow logins using a ssh key pair, and is much more
secure than using passwords. 

Also restrict who can login from where:

AllowUsers user1 at 192.168.1.*, user1 at 192.25.*, root at 192.168.1.*

This is much more specific than you can do in hosts.allow.
If you only login from the JC you can restrict it to their subnets.

Also you can run ssh on a non-standard port number.  I do and nobody
seems to have found it yet.  This isn't an excuse to skip the above
steps or keeping ssh up to date, it's layer of obscurity on top of all
the normal security.



} In a related question, I would like to know what to think of the long
} string of packet info logwatch captures for me.  Here's a sample:
} 
} Logged 937 packets on interface eth0
}   From 4.15.88.176 - 2 packets to tcp(445)
}   From 4.16.51.0 - 2 packets to tcp(445)
}   From 4.26.145.76 - 3 packets to tcp(445)
}   From 4.28.142.115 - 3 packets to tcp(445)
}   From 4.62.216.123 - 2 packets to tcp(445)
}   From 4.180.192.127 - 3 packets to tcp(445)
}   From 4.227.60.163 - 2 packets to tcp(445)
}   From 4.234.218.238 - 3 packets to tcp(445)
}   From 12.43.223.125 - 2 packets to tcp(445)
}   From 12.78.46.240 - 2 packets to tcp(445)
}   From 24.80.237.0 - 1 packet to udp(137)
}   From 24.108.182.109 - 2 packets to tcp(445)
}   From 61.30.116.8 - 3 packets to tcp(445)
}   From 61.33.89.39 - 1 packet to udp(137)
}   From 61.64.151.105 - 6 packets to tcp(445)
}   From 61.111.141.55 - 2 packets to tcp(4000)
}   From 61.177.232.226 - 2 packets to tcp(5554,9898)
}   From 62.45.9.196 - 1 packet to udp(137)
} [... more more more ... }

You can look up many port number assignments in /etc/services
microsoft-ds    445/tcp
netbios-ns      137/udp

If they aren't there try google.  The ones above are all looking for
common Microsoft Windows exploits.  The above looks very common, nothing
to worry about.

I also prefer logcheck to logwatch.  It doesn't make summary reports
like the one above, but it's very configurable as to what you see and it
can show more detail.

-- 

   E Frank Ball                frankb at frankb.us

More information about the talk mailing list