[net] user connction to sshd

Jeff Schroeder jeff at neobox.net
Sat Jul 9 23:05:52 MDT 2005

Sean wrote:

> We noticed yesterday that there were a number of connections to the
> SSH daemon running on a test box we had running outside our firewall
> (running RH 8.0!).  The connections were from someplace in Florida,
> and someplace in Germany (we think).

Welcome to the exciting world of SSH exploit attempts! :)

I've found that any time I have an SSH server running on the internet, 
it's absolutely bombarded with repeated crack attempts using random 
(but fairly predictable) usernames.  Here's a sample from today's log:

Jul  9 18:26:15 [sshd] Invalid user httpd from ::ffff:
Jul  9 18:26:17 [sshd] Invalid user alex from ::ffff:
Jul  9 18:26:21 [sshd] Invalid user brett from ::ffff:
Jul  9 18:54:14 [sshd] Invalid user test from ::ffff:
Jul  9 18:54:18 [sshd] Invalid user guest from ::ffff:
Jul  9 18:54:21 [sshd] Invalid user admin from ::ffff:

It goes on for thousands of entries.  The pattern I've seen is anywhere 
from a dozen to a couple hundred attempts from the same remote box.  I 
can only assume these are compromised 'bots running automated shell 
scripts in hopes of hitting the jackpot.

There are several solutions.  Off the top of my head:

1) The best would be to lock down port 22 to only allow connections from 
known IP's, but in many cases (like mine) I need to allow worldwide 
access because I have clients who are pretty much anywhere.

2) It would be clever and effective to have some process running on your 
server, and when it detected multiple failed SSH login attempts, it 
would add a rule to a running iptables ruleset to block that IP.  This 
is reactive, rather than proactive, but stops repeated hits from the 
same place.  I imagine after a few days you'd have an impressive 
blacklist. ;)

3) The lazy man's solution (mine, heh) is to have usernames that are a 
bit harder to guess (e.g., "jschroed" instead of "jeff") and ensure 
that passwords are strong.  Of particular importance is the "root" 
password, which should be "unguessable" and probably changed regularly.  
Note that you can configure SSH to refuse root access altogether, which 
is a wise move.

Anyway, the bottom line is that you're not seeing anything out of the 
ordinary, and you should expect it to continue.  Just follow some 
common-sense strategies to secure the box, and you'll be fine.

Whee, ain't the internet fun? ;)


More information about the PLUG mailing list