[Sussex] unauthorised ssh attempts

[Jon Fautley]

On 20 Aug 2004, at 07:24, Tony Austin wrote:

> I have noticed quite a few of these in my logfiles:-
>
> current:Aug 20 06:30:54 [sshd] Failed password for illegal user test 
> from
> 222.99.91.173 port 47112 ssh2

> Can someone explain the significance of the port numbers?  I have port 
> 22
> open for ssh plus 25 and a couple for vnc, but everything else is 
> blocked
> at the firewall and yet my server seems to be rejecting login attempts 
> on
> other ports because of incorrect usernames and passwords.

When a TCP/IP connection is established, there are several options 
involved:

* Source IP
* Destination IP
* Source Port
* Destination Port

The source IP and destination IP are fairly self explanitory, in the 
requests above the Source IP is 222.99.91.173.
The source port is a random port selected by the client that initiates 
the connection. This is 'their end' of the connection (think of a TCP 
connection as a tunnel), and 'your end' is the destination port, in 
this case 22. The source ports are usually random (some things, i.e. 
DNS and NFS like a specific source port), whereas the destination ports 
are 'well known services', i.e. the ports are registered (on the whole) 
with IANA, and they appear in your /etc/services file.

You're seeing someone from kornet (the national ISP in Korea) 
attempting to login to your machine. You might want to give it the 
onceover, security wise. People don't usually try and guess 
usernames/passwords for machines unless they can see either a) 
something on that box they want (unlikely, as I'm guessing it's on a 
DSL line) or b) another security hole they can exploit once they have 
access.

Normally, I would reccomend contacting kornet's abuse department, but 
most middle-eastern coutries have a very bad rep for just ignoring 
abuse reports.

... This is why a lot of people are now just flat-out refusing 
connections from china/korea.. as my mailserver does. (OpenBSD's spamd 
rawkz :D)

Jon