[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

Dave Sisley dsisley at arczip.com
Mon Oct 4 12:40:58 PDT 2004


Hello, fellow NBLUGgers:

I'm (sadly) pretty clueless when it comes to security, and I've been
thinking a long while that it's time I get off the pot and learn some
more about it.  I'm _really_ curious now, because my logwatch reports
(which I can barely understand) indicate that there have been numerous
attempts by "outsiders" to log into my box via ssh (see below for
excerpts from a recent logwatch report).  

The point of this post is to seek some basic advice and to maybe start
a thread on some of the basics I (and others) need to be aware of.
This post is a bit long, and I'm not seeking a comprehensive response,
just maybe some comments on my setup and what I can/should do to
protect my machine.  There are questions sprinkled about in what
follows, so please feel free to respond to any of them if you have
some advice (or even questions of your own).

This might also serve as a headsup to anyone who might be experiencing
similar activity.  I don't think I've been compromised, but I'm not
even sure how I would know! (eek!)

Here's my basic setup:

FC2 with a 2.6.7 kernel
I'm running a webserver with a not-very-busy website
ftp is not running (I don't have ftpd installed)
ssh _is_ running, with the following restrictions in the sshd config
file:

    PermitRootLogin no
    AllowUsers <my user name>
    X11Forwarding no

I've set up IP masquerading so that I can access the internet,
etc. from my laptops via wireless.

I don't use ssh from outside the house very often (mostly from my SRJC
class to check email and compare configs and the like), but I like the
idea of being able to log in from the outside.  As I said, logwatch is
capturing some behavior that makes me a bit nervous.

Here's a sample from just the other day (10/2/04):

 --------------------- pam_unix Begin ------------------------

   [...]

sshd:
   Authentication Failures:
      unknown (ns2359.ovh.net): 2823 Time(s)
   Invalid Users:
      Unknown Account: 2823 Time(s)

 ---------------------- pam_unix End -------------------------


 --------------------- SSHD Begin ------------------------

SSHD Killed: 1 Time(s)

SSHD Started: 1 Time(s)

Failed logins from these:
   admin/password from 213.186.42.216: 2 Time(s)
   guest/password from 213.186.42.216: 1 Time(s)
   root/password from 213.186.42.216: 2814 Time(s)
   test/password from 213.186.42.216: 5 Time(s)
   user/password from 213.186.42.216: 1 Time(s)

Illegal users from these:
   admin/none from 213.186.42.216: 2 Time(s)
   admin/password from 213.186.42.216: 2 Time(s)
   guest/none from 213.186.42.216: 1 Time(s)
   guest/password from 213.186.42.216: 1 Time(s)
   root/password from 213.186.42.216: 2814 Time(s)
   test/none from 213.186.42.216: 5 Time(s)
   test/password from 213.186.42.216: 5 Time(s)
   user/none from 213.186.42.216: 1 Time(s)
   user/password from 213.186.42.216: 1 Time(s)

Users logging in through sshd:
   <my user name>:
      europa.daveNet (192.168.0.3): 3 times

**Unmatched Entries**
User root not allowed because not listed in AllowUsers
User root not allowed because not listed in AllowUsers
User root not allowed because not listed in AllowUsers
User root not allowed because not listed in AllowUsers
User root not allowed because not listed in AllowUsers
User root not allowed because not listed in AllowUsers
[... many, many, many more of the same...]

________________________________________________________-

As you can see, somebody was really working my root password (you read
correctly: more than 2800 tries!).  I've since changed my passwords so
that they are less "wordly" and hopefully harder to crack.

These sort of scans have been happening since at least July.  These
scans come from numerous ip addresses, not just the one above (but
that one is I believe the most egregious example).

I did some googling just yesterday about this and found this
discussion helpful (Warning: it's about 9 pages long):

http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999

The thrust is that these sorts of scans have been increasing over the
summer.  My guess is that the attacks are increasing as more machines
are compromised and inducted into an evil army of zombies.  Some of
the posts in the discussion indicate that login attempts are limited
to users such as root/guest/test/admin and the like.  I am seeing a
lot of those, but I'm also getting attempts from more likely accounts
(matt/pam/frank, etc.).

Since these scans are coming from lots of different machines (all of
which I assume to be unwitting zombies), I am assuming that adding
these ip addresses to hosts.deny is mostly pointless.

I have hosts.allow set so that sshd will accept a login from anywhere
(sshd : ALL), but the sshd config file will only allow a login with my
user name.  Is there more I should do?

As for my firewall, I am using one I received from a friend that I
trust.  I must confess, however, I don't fully understand what it
allows and what it denies.  Would it be helpful if I posted a listing
from iptables?

In a related question, I would like to know what to think of the long
string of packet info logwatch captures for me.  Here's a sample:

Logged 937 packets on interface eth0
  From 4.15.88.176 - 2 packets to tcp(445)
  From 4.16.51.0 - 2 packets to tcp(445)
  From 4.26.145.76 - 3 packets to tcp(445)
  From 4.28.142.115 - 3 packets to tcp(445)
  From 4.62.216.123 - 2 packets to tcp(445)
  From 4.180.192.127 - 3 packets to tcp(445)
  From 4.227.60.163 - 2 packets to tcp(445)
  From 4.234.218.238 - 3 packets to tcp(445)
  From 12.43.223.125 - 2 packets to tcp(445)
  From 12.78.46.240 - 2 packets to tcp(445)
  From 24.80.237.0 - 1 packet to udp(137)
  From 24.108.182.109 - 2 packets to tcp(445)
  From 61.30.116.8 - 3 packets to tcp(445)
  From 61.33.89.39 - 1 packet to udp(137)
  From 61.64.151.105 - 6 packets to tcp(445)
  From 61.111.141.55 - 2 packets to tcp(4000)
  From 61.177.232.226 - 2 packets to tcp(5554,9898)
  From 62.45.9.196 - 1 packet to udp(137)
[... more more more ... }


I'm not sure how to read this.  What are these machines doing?  Should
I be worried?  Should I board up the windows, stock up on food &
shotgun shells and just hide in the basement while the zombies stumble
around outside?

Thanks for reading this!

-dave.

-- 
Dave Sisley
dsisley at arczip.com
roth-sisley.net




More information about the talk mailing list