Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Someone is trying to ssh into my box, and I'm wondering what this string means Code: Mar 13 11:25:17 shimmy-desktop@mousebaked sshd[26057]: Did not receive identification string from 211.97.118.24 I know ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162

    ssh hacking attempt


    Someone is trying to ssh into my box, and I'm wondering what this string means

    Code:
    Mar 13 11:25:17 shimmy-desktop@mousebaked sshd[26057]: Did not receive identification string from 211.97.118.24
    I know someone is trying to break in, because some incorrect password attempts have been passed for root ( which doesn't have login access anyway ).

  2. #2
    Just Joined! pmcoleman's Avatar
    Join Date
    Jan 2009
    Location
    Colorado Springs, CO USA
    Posts
    30
    Try closing port 22 if possible.
    Second, if it must remain open for Intra-net access, use a SOHO router with a firewall between your machine and the Internet. Connecting directly to the modem is probably not your best option. I purposely place Linux machines unsecured directly to a cable modem. Running ethereal (wireshark) and ether ape, it is amazing the amount of attempts that occur on port 22. The tests are "Lab Experiments" and are conducted to see what sorts of attempts are made to workstations and servers alike. Using a SOHO router eliminates the majority of the threat to the inside machine.

    I enable port 22 for my internal subnet but only one machine is allowed ssh access from the outside. Strong passwords, no root logins allowed... you probably get the picture by now.

    See the man or info pages on iptables, if you are not already using firestarter or guarddog firewall(s) on your machine.

    Also see:
    Did Not receive identification string from xxx.xxx.xxx.xxx - NOVELL FORUMS
    for more information.

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Use key authentication for SSH. Also install Fail2Ban so that after x attempts their ip gets blocked so they cannot connect at all.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Linux Newbie
    Join Date
    Sep 2004
    Location
    UK
    Posts
    161
    Used to get these (approx 40,000 in a month), all coming out of China. Easy way is to move the ssh port to say 20022 or open open port 20022 on the router and have to forward the ssh port to the server (which should be closed on the router). It means you have to remember to specify the port when you connect remotely but it keeps the idiots out.

    And follow the other advise already given (strong passwords, restrict which users can come in remotely etc.)

    Hope that helps.
    In a world without walls and fences, who needs Windows and Gates?

  5. #5
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162
    Yeah, I have it pretty well hardened in the ways suggested, but I was wondering what exactly that string meant because I run a program called DenyHosts that puts the IP of those who fail password attempts into /etc/denyhosts, and I wanted to figure out if there was a way to catch that string too because at the time of the post, it was the only thing happening from one host, but I didnt' like it, and felt it was necessary in the future.

  6. #6
    Just Joined! pmcoleman's Avatar
    Join Date
    Jan 2009
    Location
    Colorado Springs, CO USA
    Posts
    30
    Curious, does your script DenyHosts happen to work for remote hosts who attempt to log in? If so I would be interested in learning more about it... does it log the activity only or does it also adjust iptables accordingly... and could I get a copy???

  7. #7
    Banned
    Join Date
    Dec 2002
    Location
    Texas
    Posts
    242
    I usually block APNIC, RIPE, etc networks from ssh unless
    there's a specific reason why I need to leave things open.

  8. #8
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162
    Quote Originally Posted by pmcoleman View Post
    Curious, does your script DenyHosts happen to work for remote hosts who attempt to log in? If so I would be interested in learning more about it... does it log the activity only or does it also adjust iptables accordingly... and could I get a copy???
    Oh, it's not my script, and the project page is here Welcome to DenyHosts

    That should give you all the info you need.

    @thehemi

    That's a really good idea. Is there a simple way of getting all the RIPE CIDRs I need? I know a few of them, but I'm pretty sure there's more than I know of.

  9. #9
    Banned
    Join Date
    Dec 2002
    Location
    Texas
    Posts
    242
    Quote Originally Posted by SagaciousKJB View Post
    Is there a simple way of getting all the RIPE CIDRs I need? I know a few of them, but I'm pretty sure there's more than I know of.
    http://www.iana.org/assignments/ipv4-address-space/

  10. #10
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,454
    There is a Linux virus in the wild right now that uses this ssh hack to break into and compromise Linux systems. They've been getting hit pretty significantly at Fermi Lab recently. My wife who works in the computing division there had to patch a lot of their Linux systems for this over the past couple of days - "Dear, I'm going to be late patching these servers - please keep dinner warm for me?"... SSH has been patched, and can be updated via your package manager.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •