ssh hacking attempt

[SagaciousKJB]

Someone is trying to ssh into my box, and I'm wondering what this string means

Code:

Mar 13 11:25:17 shimmy-desktop@mousebaked sshd[26057]: Did not receive identification string from 211.97.118.24

I know someone is trying to break in, because some incorrect password attempts have been passed for root ( which doesn't have login access anyway ).

[pmcoleman]

Try closing port 22 if possible.
Second, if it must remain open for Intra-net access, use a SOHO router with a firewall between your machine and the Internet. Connecting directly to the modem is probably not your best option. I purposely place Linux machines unsecured directly to a cable modem. Running ethereal (wireshark) and ether ape, it is amazing the amount of attempts that occur on port 22. The tests are "Lab Experiments" and are conducted to see what sorts of attempts are made to workstations and servers alike. Using a SOHO router eliminates the majority of the threat to the inside machine.

I enable port 22 for my internal subnet but only one machine is allowed ssh access from the outside. Strong passwords, no root logins allowed... you probably get the picture by now.

See the man or info pages on iptables, if you are not already using firestarter or guarddog firewall(s) on your machine.

Also see:
Did Not receive identification string from xxx.xxx.xxx.xxx - NOVELL FORUMS
for more information.

[Lazydog]

Use key authentication for SSH. Also install Fail2Ban so that after x attempts their ip gets blocked so they cannot connect at all.

[blinky]

Used to get these (approx 40,000 in a month), all coming out of China. Easy way is to move the ssh port to say 20022 or open open port 20022 on the router and have to forward the ssh port to the server (which should be closed on the router). It means you have to remember to specify the port when you connect remotely but it keeps the idiots out.

And follow the other advise already given (strong passwords, restrict which users can come in remotely etc.)

Hope that helps.

[SagaciousKJB]

Yeah, I have it pretty well hardened in the ways suggested, but I was wondering what exactly that string meant because I run a program called DenyHosts that puts the IP of those who fail password attempts into /etc/denyhosts, and I wanted to figure out if there was a way to catch that string too because at the time of the post, it was the only thing happening from one host, but I didnt' like it, and felt it was necessary in the future.

[pmcoleman]

Curious, does your script DenyHosts happen to work for remote hosts who attempt to log in? If so I would be interested in learning more about it... does it log the activity only or does it also adjust iptables accordingly... and could I get a copy???

[thehemi]

I usually block APNIC, RIPE, etc networks from ssh unless
there's a specific reason why I need to leave things open.

[SagaciousKJB]

Curious, does your script DenyHosts happen to work for remote hosts who attempt to log in? If so I would be interested in learning more about it... does it log the activity only or does it also adjust iptables accordingly... and could I get a copy???

Oh, it's not my script, and the project page is here Welcome to DenyHosts

That should give you all the info you need.

@thehemi

That's a really good idea. Is there a simple way of getting all the RIPE CIDRs I need? I know a few of them, but I'm pretty sure there's more than I know of.

[thehemi]

Is there a simple way of getting all the RIPE CIDRs I need? I know a few of them, but I'm pretty sure there's more than I know of.

http://www.iana.org/assignments/ipv4-address-space/

[Rubberman]

There is a Linux virus in the wild right now that uses this ssh hack to break into and compromise Linux systems. They've been getting hit pretty significantly at Fermi Lab recently. My wife who works in the computing division there had to patch a lot of their Linux systems for this over the past couple of days - "Dear, I'm going to be late patching these servers - please keep dinner warm for me?"... SSH has been patched, and can be updated via your package manager.