[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

Dave Sisley dsisley at arczip.com
Mon Oct 4 17:03:53 PDT 2004


Thanks for replying, Frank!

On Mon, Oct 04, 2004 at 02:11:55PM -0700, E Frank Ball wrote:
> On Mon, Oct 04, 2004 at 12:40:58PM -0700, Dave Sisley wrote:
> } 

> ... 
> } I have hosts.allow set so that sshd will accept a login from anywhere
> } (sshd : ALL), but the sshd config file will only allow a login with my
> } user name.  Is there more I should do?
> 
> 
> If possible in sshd_config:
> 
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> 
> This will only allow logins using a ssh key pair, and is much more
> secure than using passwords. 

Correct me if I'm wrong, but this has to be set up in advance between
the 2 machines, right?  In other words, it would preclude me from
logging into my home machine from my friends house unless I've
generated a key on his machine and told my home machine to watch for
it.

I may have to rethink this, but I would rather leave open the
possibility that I could log in from anywhere (as if I actually _go_
anywhere!). 

> 
> Also restrict who can login from where:
> 
> AllowUsers user1 at 192.168.1.*, user1 at 192.25.*, root at 192.168.1.*
> 
> This is much more specific than you can do in hosts.allow.
> If you only login from the JC you can restrict it to their subnets.
> 

This might also be more restrictive than I'd wish, but I will consider
it. 

I'm a bit confused by the syntax, though. I'm assuming that 'user1' is
the user name on the remote machine into which I want to log?  and the
partial IP address - is that also the remote machine? or the machine
from which I am calling? (Forgive me if that makes no sense - when I
get a minute, I will also try reading the man page...).

> Also you can run ssh on a non-standard port number.  I do and nobody
> seems to have found it yet.  This isn't an excuse to skip the above
> steps or keeping ssh up to date, it's layer of obscurity on top of all
> the normal security.
> 

This too might be a good idea, but wouldn't a port sniffer like nmap
find the obscure port easily?

> 
> 
> } In a related question, I would like to know what to think of the long
> } string of packet info logwatch captures for me.  Here's a sample:
> } 
> } Logged 937 packets on interface eth0
> }   From 4.15.88.176 - 2 packets to tcp(445)
> }   From 4.16.51.0 - 2 packets to tcp(445)
> }   From 4.26.145.76 - 3 packets to tcp(445)
> }   From 4.28.142.115 - 3 packets to tcp(445)
> }   From 4.62.216.123 - 2 packets to tcp(445)
> }   From 4.180.192.127 - 3 packets to tcp(445)
> }   From 4.227.60.163 - 2 packets to tcp(445)
> }   From 4.234.218.238 - 3 packets to tcp(445)
> }   From 12.43.223.125 - 2 packets to tcp(445)
> }   From 12.78.46.240 - 2 packets to tcp(445)
> }   From 24.80.237.0 - 1 packet to udp(137)
> }   From 24.108.182.109 - 2 packets to tcp(445)
> }   From 61.30.116.8 - 3 packets to tcp(445)
> }   From 61.33.89.39 - 1 packet to udp(137)
> }   From 61.64.151.105 - 6 packets to tcp(445)
> }   From 61.111.141.55 - 2 packets to tcp(4000)
> }   From 61.177.232.226 - 2 packets to tcp(5554,9898)
> }   From 62.45.9.196 - 1 packet to udp(137)
> } [... more more more ... }
> 
> You can look up many port number assignments in /etc/services
> microsoft-ds    445/tcp
> netbios-ns      137/udp
> 
> If they aren't there try google.  The ones above are all looking for
> common Microsoft Windows exploits.  The above looks very common, nothing
> to worry about.
> 
> I also prefer logcheck to logwatch.  It doesn't make summary reports
> like the one above, but it's very configurable as to what you see and it
> can show more detail.

Well, I can't criticize logwatch until I learn to actually use it, but
I'll try and check out logcheck too.

Thanks for the info!

> 
> -- 
> 
>    E Frank Ball                frankb at frankb.us
> 
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk

-- 
Dave Sisley
dsisley at arczip.com
roth-sisley.net




More information about the talk mailing list