Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Ssh log shows LOTS of port 22 hits
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
orlanz
n00b
n00b


Joined: 25 May 2003
Posts: 26
PostPosted: Fri Dec 10, 2004 5:32 pm    Post subject: Ssh log shows LOTS of port 22 hits Reply with quote
I have ssh under xinetd. I rarely use it so why keep it running all the time?

Anyway, I was looking over the logs and from end of September to November, there were a LOT of hits for ssh or port 22. Like one every 2-3 seconds for 5-15 minutes. This happened 1-2 times a day every week or so. I looked over my system and it doesn't appear to have been hacked. I have also updated (more like put up) restrictions on the xinetd service to hinder, if not stop, this.

I did a WHOIS on the IP's and the majority are from Asia Pacific Network.
I am just posting to see if others have seen this in their logs too. Does anyone know what was happening around Sep-Nov? Was there a major sshd flaw at that time?

Also, I read somewhere that PcAnywhere accidently uses port 22 (probably in the old versions) so that could be it too.
Back to top
View user's profile Send private message
neilhwatson
l33t
l33t


Joined: 06 Feb 2003
Posts: 719
Location: Canada
PostPosted: Fri Dec 10, 2004 5:57 pm    Post subject: Reply with quote
I see that sometimes aswell. I took a few precautions:

1. Limted sshd to certain users (AllowUsers clause in sshd_config).
2. Disabled root logins.
3. Created an sshd unauthorized use banner.
4. Collect the offending IPs and blocked them with my firewall.
_________________
The true guru is a teacher.
Neil Watson
Back to top
View user's profile Send private message
orlanz
n00b
n00b


Joined: 25 May 2003
Posts: 26
PostPosted: Fri Dec 10, 2004 6:20 pm    Post subject: In case anyone is interested. Reply with quote
In case anyone is interested, my precautions:

I also Disabled Root Logins, but didn't realize I can limit certain users too. Going to go do that...

Collecting the IPs is a big task... too much work, so I will leave that aside. I also didn't create the banner... should go do that too.

But since I use xinetd, I tweaked that...

1. Limited connections / IP (3)
2. Limited total connections (10)
3. Limited connections / second and set a reject time (1/10 sec, 30 sec)

You can go further by:
1) Limit IPs
2) Using another port (or more than one port personal/public).
3) Limiting PC load.
4) Limiting processes.

....xinted probably has even more...
Back to top
View user's profile Send private message
amne
Bodhisattva
Bodhisattva


Joined: 17 Nov 2002
Posts: 6378
Location: Graz / EU
PostPosted: Sat Dec 11, 2004 12:02 pm    Post subject: Reply with quote
You're not alone, a lot of people do get this rather simple break-in attempts: i got hacked. what were they up to?

Moved from N&S to Duplicate Threads - please reply to the other thread.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy