Re: Attacker damaged my system via ssh. I' m shocked.

On Sun, 04 Jun 2006 12:41:51 -0700, aunil321 wrote:

Hi all,
i have using FC4 for home server a few months with service httpd,
mysqld, vsftp and squid. i have 2 lan interface, eth0 (for local lan)
and eth1 (for internet ip address). One day i checked my
"/var/log/messages", i found someone used ssh trying to invade my
system.

x.x.x.x = my eth1 ip
not x.x.x.x = attacker ip

On June 2' night:


Don't allow password authentication for ssh, require RSA authentication.
Put the public key of your laptop and any other systems that you want to
give access to into the authorized_keys file.

One more thing you can do is to move your ssh port from 22 to something
else. The port scanning programs only attack port 22. Obviously there is
nothing to prevent someone from writing a port scanning program that looks
for ssh on a port other than 22 but no one has bothered to do it yet. I
have two ssh servers on my network one is on port 22 and one is on a
higher port. The server on port 22 is attacked several times a day, the
other one has never been attacked. You are probably wondering why I don't
put both servers on a high port number. The reason is that large company
firewalls don't allow outgoing ssh traffic on ports other than 22. When I
had my release server on a high port it worked fine for my clients at
startups but when I got a couple of big company clients they weren't able
to access my server. When I put the port down to 22 they were able to
access it. I requires RSA authentication on both of my servers so the
attacks are never successful, but it is annoying.

.

Relevant Pages

  • Re: SSH: remote login returns "invalid user"
    ... host mail.harlley-consultants.com ... server rather than web server? ... If they have the right server software running (mail, web, ssh daemon) then that software picks up the request. ... When you want to send mail to xxx@xxxxxxxxxxxxxxxxxxxxxxx, your mail server looks up the MX record for hartley-consultants and sends it to port 25 on the machine pointed to. ...
    (Debian-User)
  • Re: Appeal for Help. NOT Code Red But Is It?
    ... our server immediately responds back to the prober ... What is happening is that the IDS is becomming confused about who the ... each worm that is still on its way from the attacker. ... > and outbound port was 2913. ...
    (Incidents)
  • Re: ipfw and nmap
    ... > even be correct but I have a bsd box that is simply providing me SSH ... add allow tcp from any to me 22 setup in via fxp0 keep-state ... Note too that there is nothing to prevent port scanners simply setting ... the 'SYN' flag in the probe packets they send to your server. ...
    (freebsd-questions)
  • Re: Remote Desktop directly to another computer on the network
    ... default port... ... And there is no reason for me to believe that ssh ... When I have a multibillion company I will use the key pair, ... WinSCP for that to access my home SSH server. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: FC6 VPN
    ... What exactly do you need to connect to on the linux server? ... make a connection between two computers you are using a tcp/ip port. ... your local port to the linux server through the ssh tunnel. ... attacker, but may help you work out that you've got a determined ...
    (Fedora)