Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Weird ssh connections, not made by me
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Wed Jan 11, 2017 10:27 pm    Post subject: Weird ssh connections, not made by me Reply with quote

While examining /var/log/messages, I noticed stuff like this:

Code:

Jan 11 21:08:21 serverdef sshd[19050]: Did not receive identification string from 95.249.60.207 port 37765
Jan 11 21:08:31 serverdef sshd[19054]: SSH: Server;Ltype: Version;Remote: 95.249.60.207-37989;Protocol: 2.0;Client: Go
Jan 11 21:08:32 serverdef sshd[19054]: SSH: Server;Ltype: Kex;Remote: 95.249.60.207-37989;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]
Jan 11 21:08:44 serverdef sshd[19054]: Connection closed by 95.249.60.207 port 37989 [preauth]
Jan 11 21:08:45 serverdef sshd[19061]: SSH: Server;Ltype: Version;Remote: 95.249.60.207-38248;Protocol: 2.0;Client: Go
Jan 11 21:08:45 serverdef sshd[19061]: SSH: Server;Ltype: Kex;Remote: 95.249.60.207-38248;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]
Jan 11 21:09:00 serverdef sshd[19061]: Connection closed by 95.249.60.207 port 38248 [preauth]
Jan 11 21:09:01 serverdef sshd[19071]: SSH: Server;Ltype: Version;Remote: 95.249.60.207-38567;Protocol: 2.0;Client: Go
Jan 11 21:09:01 serverdef sshd[19071]: SSH: Server;Ltype: Kex;Remote: 95.249.60.207-38567;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]
Jan 11 21:09:13 serverdef sshd[19071]: Connection closed by 95.249.60.207 port 38567 [preauth]


What is this? Should I be concerned? If so, how do I put the kibosh on it?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Wed Jan 11, 2017 11:34 pm    Post subject: Reply with quote

Still wet behind the ears checking logs? j/k

Just make sure you have a good secure password for all accounts, and don't worry about it.

If you're that worried about it, other than disabling sshd access from the outside, you'll have to do one or more of these:

1 - run a vpn and only allow ssh after vpn connect
2 - run sshd on another port
3 - implement port knocking or some fail2ban or something.

I just let them all go and hope my passwords cannot be dictionary attacked.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Thu Jan 12, 2017 12:34 am    Post subject: Re: Weird ssh connections, not made by me Reply with quote

audiodef wrote:
What is this?

The cesspool that is the public Internet. If you want clean logs, don't run things on any port in /etc/services with a name. You can get rid of 99% of the crap in a web server log by going HTTPS-only too.

That's obviously not security though.
If you want to actually *be* safer, do USE="-ssl" emerge openssh. After that your sshd won't be linked to OpenSSL and as a result will only know the 1 ciphersuite the OpenBSD devs put into it, which is more than enough to outsmart random skiddies knocking on the front door.
(It's also faster than the default one, with or without hardware AES, or so I've heard ;))
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Thu Jan 12, 2017 1:07 am    Post subject: Reply with quote

I'm starting to get crap in my https logs too, so they're starting to catch on...

BTW yesterday I got "over 9000" (about 9400 blocked, 300 connects) SSH login attempts, so don't feel too bad. Then again it was an exceptional day.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Thu Jan 12, 2017 8:05 am    Post subject: Reply with quote

To alleviate these connection attempts you have a few options.
1: Run sshd on a non standard port
2: Use port knocking to allow access to port 22
Code:
http://gentoo-en.vfose.ru/wiki/Port_Knocking

3: Firewall to allow only certain ip addresses via iptables.
4: Use something like Fail2ban.
Code:
https://wiki.gentoo.org/wiki/Fail2ban


Always deny password authentication and challenge response on a publicly accessible server, use public/private keys.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Thu Jan 12, 2017 4:55 pm    Post subject: Re: Weird ssh connections, not made by me Reply with quote

Ant P. wrote:
audiodef wrote:
What is this?

The cesspool that is the public Internet. If you want clean logs, don't run things on any port in /etc/services with a name. You can get rid of 99% of the crap in a web server log by going HTTPS-only too.

That's obviously not security though.
If you want to actually *be* safer, do USE="-ssl" emerge openssh. After that your sshd won't be linked to OpenSSL and as a result will only know the 1 ciphersuite the OpenBSD devs put into it, which is more than enough to outsmart random skiddies knocking on the front door.
(It's also faster than the default one, with or without hardware AES, or so I've heard ;))


Thanks! Should I be surprised at this after recompiling?
Code:

/etc/init.d/sshd restart
 * Caching service dependencies ...                                                                                                                               [ ok ]
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_rsa_key
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_dsa_key
 * Stopping sshd ...                                                                                                                                              [ ok ]
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_rsa_key
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_dsa_key
 * Starting sshd ...
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_rsa_key
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_dsa_key


EDIT:

Whoops, can't go this route. Now I'm blocked out with permission denied (publickey). I hope I can get in through my server host's panel and undo this...

Yep, sorted.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.


Last edited by audiodef on Thu Jan 12, 2017 5:09 pm; edited 1 time in total
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Thu Jan 12, 2017 5:08 pm    Post subject: Reply with quote

I appreciate the replies, guys. I'll be checking out those options. :)
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Thu Jan 12, 2017 5:45 pm    Post subject: Re: Weird ssh connections, not made by me Reply with quote

audiodef wrote:
Whoops, can't go this route. Now I'm blocked out with permission denied (publickey). I hope I can get in through my server host's panel and undo this...


Once again Convenience vs Security... I opted just to leave it open to the public so I can ssh from anywhere.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Fri Jan 13, 2017 1:06 am    Post subject: Reply with quote

Yeah, I need that, too. But fail2ban is looking like a good starting measure, and it's well-documented. (Meaning I probably won't have to bother you folks too much with l4m3 n00b q's.)
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Jan 13, 2017 7:16 am    Post subject: Reply with quote

Sorry, did not mean to call anyone out on a "n00b" question, all questions are good questions.

But it really pisses me off all these hackers around probing just about every ipv4 address for an easy hack, I'm just glad I don't pay by the byte (then again my limited bandwidth is wasted by their attacks whether my machines respond to them or not). Makes me want to puke. Would be nice to just use ipv6 so that the search space is almost like hitting the lottery, alas...security by obscurity is not security.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Fri Jan 13, 2017 6:52 pm    Post subject: Re: Weird ssh connections, not made by me Reply with quote

audiodef wrote:
Thanks! Should I be surprised at this after recompiling?
Code:

/etc/init.d/sshd restart
 * Caching service dependencies ...                                                                                                                               [ ok ]
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_rsa_key
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_dsa_key
 * Stopping sshd ...                                                                                                                                              [ ok ]
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_rsa_key
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_dsa_key
 * Starting sshd ...
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_rsa_key
key_load_private: invalid format
key_load_public: invalid format
Could not load host key: /etc/ssh/ssh_host_dsa_key

I probably should have mentioned that too, whoops. You only get ed25519 this way and anything else becomes a config error.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2514

PostPosted: Fri Jan 13, 2017 8:12 pm    Post subject: Reply with quote

fail2ban is a must-have for any public-facing service. Before I did that I literally ran out of disk space because someone was trying to brute force my sshd.

On top of that I'd implement the VPN or at least port knocking.

I'm also of the opinion that if you're hooking up through a SOHO (small office/home office) router that you're essentially crowd surfing while naked. The bad guys can see and touch everything you have.

IMO a public-facing, public-serving business needs all or most of:

  1. fail2ban or similar.
  2. VPN for EVERY remote-to-local access not intended to be a public service
  3. IDS/IPS, (suricata or snort or ???).
  4. Port knocking for anything which gives you authority to execute non-service features (shell, etc). Cryptknock looks interesting but I've never used it and the site says it's old. http://cryptknock.sourceforge.net/
  5. A DMZ which can't initiate a connection to your internal network under any circumstances. This would force a VPN connection for remote access to your internal site.
  6. DMZ only contains minimal functionality needed support public-facing services.
  7. DMZ has outbound firewall with only necessary ports open. Prevents malware on DMZ systems from being used as an attack platform. Personally I'd like to do the same with the internal network but the users complain loudly.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Sat Jan 14, 2017 12:27 am    Post subject: Re: Weird ssh connections, not made by me Reply with quote

Ant P. wrote:

I probably should have mentioned that too, whoops. You only get ed25519 this way and anything else becomes a config error.


https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/

Nice, I'll look into this. Thanks.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Sat Jan 14, 2017 12:29 am    Post subject: Reply with quote

It's a hosted dedicated server, but the rest of your advice is much appreciated, thank you. 8)

1clue wrote:
fail2ban is a must-have for any public-facing service. Before I did that I literally ran out of disk space because someone was trying to brute force my sshd.

On top of that I'd implement the VPN or at least port knocking.

I'm also of the opinion that if you're hooking up through a SOHO (small office/home office) router that you're essentially crowd surfing while naked. The bad guys can see and touch everything you have.

IMO a public-facing, public-serving business needs all or most of:

  1. fail2ban or similar.
  2. VPN for EVERY remote-to-local access not intended to be a public service
  3. IDS/IPS, (suricata or snort or ???).
  4. Port knocking for anything which gives you authority to execute non-service features (shell, etc). Cryptknock looks interesting but I've never used it and the site says it's old. http://cryptknock.sourceforge.net/
  5. A DMZ which can't initiate a connection to your internal network under any circumstances. This would force a VPN connection for remote access to your internal site.
  6. DMZ only contains minimal functionality needed support public-facing services.
  7. DMZ has outbound firewall with only necessary ports open. Prevents malware on DMZ systems from being used as an attack platform. Personally I'd like to do the same with the internal network but the users complain loudly.

_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum