Sign in to follow this  
Followers 0
systems_glitch

More SSH Trouble

7 posts in this topic

I keep getting random hosts attempting to connect to my SSH port. No one ever logs in, but I checked my syslog this time, and got this:

Jan 20 12:59:53 room sshd[15090]: error: Could not get shadow information for NOUSER
Jan 20 12:59:55 room sshd[15093]: error: Could not get shadow information for NOUSER
Jan 20 12:59:58 room sshd[15096]: error: Could not get shadow information for NOUSER
Jan 20 12:59:59 room sshd[15099]: error: Could not get shadow information for NOUSER
Jan 20 13:00:01 room sshd[15102]: error: Could not get shadow information for NOUSER
Jan 20 13:00:03 room sshd[15105]: error: Could not get shadow information for NOUSER

"room" being my hostname.

Anyone else get stuff like that? I did some checking into the address that was attempting to connect (59-120-99-66.hinet-ip.hinet.net), which is out of Taiwan, and has no business in my system. Just shutting down eth0 and starting it back up kills the client, and there are no further attempts after that.

Edited by systems_glitch
0

Share this post


Link to post
Share on other sites

yeah man, just random ssh brute forcing attempts. I moved the port to something higher for a while, but my college is heavy on QoS, so as port 22 is one of the highest priorities it made sense for me to have it listening on two ports.

0

Share this post


Link to post
Share on other sites

Yea dont use the default port cuz when an 0day comes along you will get fucked in the ass like everyone else.

use a random port

0

Share this post


Link to post
Share on other sites

Thanks! I searched around and found where the port could be changed for startup. For anyone else who, like me, didn't know how to do this:

Login as root

edit /etc/ssh/sshd_config

uncomment the # Port 22 line

change "22" to any random port that's not in use

While I was in there, I also disabled root login through SSH. Just search the config for PermitRootLogin, uncomment and change "yes" to "no."

Restart your ssh daemon and you're good to go (/etc/rc.d/rc.sshd restart in Slackware or others using the BSD rc.d system)

0

Share this post


Link to post
Share on other sites
Thanks! I searched around and found where the port could be changed for startup. For anyone else who, like me, didn't know how to do this:

Login as root

edit /etc/ssh/sshd_config

uncomment the # Port 22 line

change "22" to any random port that's not in use

While I was in there, I also disabled root login through SSH. Just search the config for PermitRootLogin, uncomment and change "yes" to "no."

Restart your ssh daemon and you're good to go (/etc/rc.d/rc.sshd restart in Slackware or others using the BSD rc.d system)

It's also a good idea to allow only who you want (often only yourself on the home machine). In /etc/ssh/sshd_config :

AllowUsers rightcoast

then restart ssh (in debian) with

/etc/init.d/ssh restart

0

Share this post


Link to post
Share on other sites

I keep a constant eye on my syslog also and always see these attempts but nothing ever comes of it. I thought about changing the port number also but figured anyone who was sophisticated enough to crack an unauthorized connection would know how to port scan and find the port I was using anyway. No?

Edited by evoen
0

Share this post


Link to post
Share on other sites

use fwknop: http://www.cipherdyne.org/fwknop/

the fwknop server runs on Linux (not sure about other OS's) and uses netfilter to hide a port you want to protect. So if your machine was only listening on 22, and someone portscanned you, they would see 22 as being open -- and immediately think you were running an sshd daemon. If you were running fwknopd on your machine and had it protecting 22, the portscanner would see no open ports (aside from the single packet authentication port listener, which is needed to open 22, but you can use tcp/udp/icmp/etc to open your protected port). You then send a single packet from the host to the server, with the proper credentials, and it will open port 22 for a pre-set amount of time (default is 30 secs).

The author gave a cool talk at shmoocon and has been to many other cons. He wrote a patch to ssh so instead of running:

$fwknop -data -data -data;ssh user@host

you can now just do:

$ssh -K "-data -data -data" user@host

or something to that effect.

Its really cool and I recommend all of you with openssh on a Linux machine to try it out.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0