Jump to content


Photo
- - - - -

More SSH Trouble


  • Please log in to reply
6 replies to this topic

#1 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,657 posts
  • Gender:Male

Posted 20 January 2006 - 01:03 PM

I keep getting random hosts attempting to connect to my SSH port. No one ever logs in, but I checked my syslog this time, and got this:

Jan 20 12:59:53 room sshd[15090]: error: Could not get shadow information for NOUSER
Jan 20 12:59:55 room sshd[15093]: error: Could not get shadow information for NOUSER
Jan 20 12:59:58 room sshd[15096]: error: Could not get shadow information for NOUSER
Jan 20 12:59:59 room sshd[15099]: error: Could not get shadow information for NOUSER
Jan 20 13:00:01 room sshd[15102]: error: Could not get shadow information for NOUSER
Jan 20 13:00:03 room sshd[15105]: error: Could not get shadow information for NOUSER

"room" being my hostname.

Anyone else get stuff like that? I did some checking into the address that was attempting to connect (59-120-99-66.hinet-ip.hinet.net), which is out of Taiwan, and has no business in my system. Just shutting down eth0 and starting it back up kills the client, and there are no further attempts after that.

Edited by systems_glitch, 20 January 2006 - 01:05 PM.


#2 luminaire

luminaire

    SUP3R 31337 P1MP

  • Members
  • 290 posts
  • Location:Canada

Posted 20 January 2006 - 02:11 PM

yeah man, just random ssh brute forcing attempts. I moved the port to something higher for a while, but my college is heavy on QoS, so as port 22 is one of the highest priorities it made sense for me to have it listening on two ports.

#3 stacksmasher

stacksmasher

    Mack Daddy 31337

  • Members
  • 214 posts

Posted 20 January 2006 - 03:12 PM

Yea dont use the default port cuz when an 0day comes along you will get fucked in the ass like everyone else.


use a random port

#4 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,657 posts
  • Gender:Male

Posted 20 January 2006 - 03:44 PM

Thanks! I searched around and found where the port could be changed for startup. For anyone else who, like me, didn't know how to do this:

Login as root
edit /etc/ssh/sshd_config
uncomment the # Port 22 line
change "22" to any random port that's not in use

While I was in there, I also disabled root login through SSH. Just search the config for PermitRootLogin, uncomment and change "yes" to "no."

Restart your ssh daemon and you're good to go (/etc/rc.d/rc.sshd restart in Slackware or others using the BSD rc.d system)

#5 Rightcoast

Rightcoast

    mmm ... donuts

  • Agents of the Revolution
  • 2,074 posts
  • Gender:Male
  • Location:321

Posted 20 January 2006 - 03:50 PM

Thanks! I searched around and found where the port could be changed for startup. For anyone else who, like me, didn't know how to do this:

Login as root
edit /etc/ssh/sshd_config
uncomment the # Port 22 line
change "22" to any random port that's not in use

While I was in there, I also disabled root login through SSH. Just search the config for PermitRootLogin, uncomment and change "yes" to "no."

Restart your ssh daemon and you're good to go (/etc/rc.d/rc.sshd restart in Slackware or others using the BSD rc.d system)

View Post

It's also a good idea to allow only who you want (often only yourself on the home machine). In /etc/ssh/sshd_config :
AllowUsers rightcoast
then restart ssh (in debian) with
/etc/init.d/ssh restart


#6 evoen

evoen

    SUP3R 31337

  • Validating
  • 180 posts
  • Location:38.63 , -90.194

Posted 20 January 2006 - 04:07 PM

I keep a constant eye on my syslog also and always see these attempts but nothing ever comes of it. I thought about changing the port number also but figured anyone who was sophisticated enough to crack an unauthorized connection would know how to port scan and find the port I was using anyway. No?

Edited by evoen, 20 January 2006 - 04:08 PM.


#7 b8zs

b8zs

    The phorce is with me!

  • Members
  • 76 posts
  • Location:64 Kbps x24

Posted 20 January 2006 - 06:23 PM

use fwknop: http://www.cipherdyne.org/fwknop/

the fwknop server runs on Linux (not sure about other OS's) and uses netfilter to hide a port you want to protect. So if your machine was only listening on 22, and someone portscanned you, they would see 22 as being open -- and immediately think you were running an sshd daemon. If you were running fwknopd on your machine and had it protecting 22, the portscanner would see no open ports (aside from the single packet authentication port listener, which is needed to open 22, but you can use tcp/udp/icmp/etc to open your protected port). You then send a single packet from the host to the server, with the proper credentials, and it will open port 22 for a pre-set amount of time (default is 30 secs).

The author gave a cool talk at shmoocon and has been to many other cons. He wrote a patch to ssh so instead of running:

$fwknop -data -data -data;ssh user@host

you can now just do:

$ssh -K "-data -data -data" user@host

or something to that effect.

Its really cool and I recommend all of you with openssh on a Linux machine to try it out.




BinRev is hosted by the great people at Lunarpages!