View previous topic :: View next topic |
Author |
Message |
orlanz n00b
Joined: 25 May 2003 Posts: 26
|
Posted: Fri Dec 10, 2004 5:32 pm Post subject: Ssh log shows LOTS of port 22 hits |
|
|
I have ssh under xinetd. I rarely use it so why keep it running all the time?
Anyway, I was looking over the logs and from end of September to November, there were a LOT of hits for ssh or port 22. Like one every 2-3 seconds for 5-15 minutes. This happened 1-2 times a day every week or so. I looked over my system and it doesn't appear to have been hacked. I have also updated (more like put up) restrictions on the xinetd service to hinder, if not stop, this.
I did a WHOIS on the IP's and the majority are from Asia Pacific Network.
I am just posting to see if others have seen this in their logs too. Does anyone know what was happening around Sep-Nov? Was there a major sshd flaw at that time?
Also, I read somewhere that PcAnywhere accidently uses port 22 (probably in the old versions) so that could be it too. |
|
Back to top |
|
|
neilhwatson l33t
Joined: 06 Feb 2003 Posts: 719 Location: Canada
|
Posted: Fri Dec 10, 2004 5:57 pm Post subject: |
|
|
I see that sometimes aswell. I took a few precautions:
1. Limted sshd to certain users (AllowUsers clause in sshd_config).
2. Disabled root logins.
3. Created an sshd unauthorized use banner.
4. Collect the offending IPs and blocked them with my firewall. _________________ The true guru is a teacher.
Neil Watson |
|
Back to top |
|
|
orlanz n00b
Joined: 25 May 2003 Posts: 26
|
Posted: Fri Dec 10, 2004 6:20 pm Post subject: In case anyone is interested. |
|
|
In case anyone is interested, my precautions:
I also Disabled Root Logins, but didn't realize I can limit certain users too. Going to go do that...
Collecting the IPs is a big task... too much work, so I will leave that aside. I also didn't create the banner... should go do that too.
But since I use xinetd, I tweaked that...
1. Limited connections / IP (3)
2. Limited total connections (10)
3. Limited connections / second and set a reject time (1/10 sec, 30 sec)
You can go further by:
1) Limit IPs
2) Using another port (or more than one port personal/public).
3) Limiting PC load.
4) Limiting processes.
....xinted probably has even more... |
|
Back to top |
|
|
amne Bodhisattva
Joined: 17 Nov 2002 Posts: 6378 Location: Graz / EU
|
Posted: Sat Dec 11, 2004 12:02 pm Post subject: |
|
|
You're not alone, a lot of people do get this rather simple break-in attempts: i got hacked. what were they up to?
Moved from N&S to Duplicate Threads - please reply to the other thread. |
|
Back to top |
|
|
|