[plug] was I probed or ignorantly paranoid?

Craig Ringer craig at postnewspapers.com.au
Wed Mar 30 04:56:43 WST 2005


On Wed, 2005-03-30 at 01:28 +0800, Gavin Chester wrote:
> I'm not sure whether I was probed or whether I saw some normal traffic
> to my machine.  Either way it seemed strange to have many repeat ssh
> requests when no one should be ssh-ing into my PC.  Maybe you guys could
> shed some light for me? I'm a newbie to many Linux concepts - especially
> security :-0.  I run a fairly stock-standard FC3 install with as few
> services active as possible and a generic (read as un-tweaked) firewall
> in place.  I was watching network activity on my modem and checked out
> what it could be with ethereal to capture the packets.  Here is a small
> sample of the trace where ssh was repeated over and over with attempts
> to exchange keys:  

> Server Protocol: SSH-1.99-OpenSSH_3.9p1
> Client Protocol: SSH-2.0-libssh-0.1\r
> Server: Key Exchange Init
> Client: Key Exchange Init
> Client: Diffie-Hellman Key Exchange Init
> Server: New Keys
> Client: New Keys
> Client: Unknown (244)
> Server: Unknown (192)
> Encrypted request packet len=84
> Encrypted response packet len=84
> Encrypted request packet len=52
> ssh > 56327 [FIN, ACK]

>From the (heavily edited) above, it's impossible to say 100% for
certain, but that looks a lot like they completed setup of session keys,
tried to authenticate, failed, and disconnected.

They're probably just scanning for machines with blank root passwords,
root password "root", etc. Check your /var/log/auth.log for details.

> Needless to say I killed ssh as a service since I am not using it and
> only had there "in case" I did want it sometime soon.

If you have good passwords, this probably isn't something to worry too
much about. If you are really concerned you could require public key
authentication, so that password logins are impossible. You could also
restrict access to a certain IP range or set of IPs. It's also possible
to have sshd listen only on a non-standard port to foil casual scanning,
though the occasional paranoid firewall might make your life difficult
if you do that.

I tend to run with key auth required and sshd on a non-standard port for
the "high exposure" hosts I run (juicy targets / permanent fast
connections). Others I tend to leave on port 22 and some have password
auth enabled; they're hosts where I can ensure all accounts have good
passwords and where I can make sure it's all up-to-date.

Realistically, I wouldn't worry too much about ssh. Running it on a high
port might be reasonable, as might disabling password auth, but both
have consequences in convenience (firewall issues and needing to have
your ssh key with you, respectively).

--
Craig Ringer




More information about the plug mailing list