[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

troy fryman at sonic.net
Mon Oct 4 13:25:32 PDT 2004


On Mon, Oct 04, 2004 at 12:40:58PM -0700, Dave Sisley wrote:
> 
> I have hosts.allow set so that sshd will accept a login from anywhere
> (sshd : ALL), but the sshd config file will only allow a login with my
> user name.  Is there more I should do?

Ever since the time I was traveling when an openssh exploit hit the
wild, I've not wanted to leave sshd open to the world at large.  I
hadn't checked on my machine in days, and upgrading ssh remotely is
always stressful.  It's also worth noting that there are often exploits
floating around the hard-core (like ioerror) group without being known
by the public at large.  So even if an app like openssh has no known
exploits, it's not necessarily safe from the bad guys (like ioerror) ;-)

So this is what I do:

I have a php script whose name is hopefully tough to guess sitting on my
webserver.  Its purpose is to write out a file with the ip address of
the person who hits that page.  Then, in /etc/hosts.allow I have:

sshd: 192.168.9.  #and so on, for ip's that I trust.
sshd: /path/to/ip.txt

BTW, I think you've done the right things:

1) you watch your logs
2) you're using strong(er) passwords
3) allowing only your user


Oh, and just in case it wasn't clear, ioerror isn't really a "bad guy" ;-)

-troy

The php script is exceedingly simple, so here it is...

<?php

function get_ip()
{
	return getenv("REMOTE_ADDR"); 
}

?>

<?php
$out='/path/to/ip.txt';
$log='/path/to/iplog.txt';

print "Was:";
readfile($out);
print "<br>";
$ip=get_ip();
$fp=fopen($out,"w");
fputs($fp,$ip);
fclose($fp);

$lfp=fopen($log,"a");
fputs($lfp,$ip);
fputs($lfp,"\n");
fclose($lfp);

print "Wrote: ";
readfile($out);
?>




More information about the talk mailing list