[HLUG] Last couple of messages didn't go through

[Mark Broadbent]

On 03/01/06, tundish <tundish at thuswise.org.uk> wrote:
>
> >>I have noticed someone has been/or trying to gain access to my ssh on my
> >>linux server. I get a log sent to my gmail account every hour from my
> >>router. I have noticed that the ssh port 22 being used. see below.
> >>
> >>Wed, 2005-12-28 19:29:02 - TCP Packet - Source:202.63.114.43,46799
> >>Destination:192.168.0.2,22 - [SSH match]
> >>Wed, 2005-12-28 19:29:14 - TCP Packet - Source:202.63.114.43,48700
> >>Destination:192.168.0.2,22 - [SSH match]
> >>Wed, 2005-12-28 19:29:17 - TCP Packet - Source:202.63.114.43,48779
> >>Destination:192.168.0.2,22 - [SSH match]
> >>Wed, 2005-12-28 19:29:21 - TCP Packet - Source:202.63.114.43,48858
> >>Destination:192.168.0.2,22 - [SSH match]
> >>Wed, 2005-12-28 19:29:26 - TCP Packet - Source:202.63.114.43,49768
> >>Destination:192.168.0.2,22 - [SSH match]
> >>
>
> This is an odd little site:
> http://202.63.114.43/
>
> Couldn't find who owns it though:
> http://www.networksolutions.com/whois
>
> Maybe someone's doing an nmap scan. Notice how the port numbers change.
> I'm not an expert at all, but I think the idea is to find out what
> version of OpenSSH you have, in case there's an exploit for it.

It's only the source port that changes which is to be expected as each
new TCP conection from that machine will increment that number.  An
nmap scan would change the destination port number.

> Make sure you remove useful information (like your kernel version and
> arch) from your SSH login message.

It can help but by that point SSH has already given away some useful
information. See below:

$ telnet linuxbox ssh
SSH-2.0-OpenSSH_4.2p1 Debian-5

Nothing beats keeping up-to-date with security patches and preferably,
a nice beefy firewall. :-)

Cheers
mark


--
Mark Broadbent
Herefordshire LUG Master

* http://www.wetlettuce.com/
* http://www.herefordshire.lug.org.uk/