I've have had an Ubuntu 8.04 server running and on the Internet for a few days....I have Ports 21 and 22 open for FTP and SSH...All other ports are closed.
I ran
netstat
And found this
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 68 10.7.1.71%134645824:ssh 125.211.221.145%8:47777 ESTABLISHED
It appears as if 125.211.221.145 has established an SSH connection to the server...and is sending packets out... Is it possible for someone to establish an SSH connection without authenticating?
I did Reverse DNS lookups on the address...and it seems to oringnate from China according to this resource...
http://www.ipaddresser.com/
I assume most servers are fending off stuff like this all the time, but is it unusual to have someone sit on a port like this? And is there an way to block certain IP's at the server level?
The server is sitting behind a substantial Cisco firewall ..
-
All "ESTABLISHED" means is that the tcp session is open. It does not mean that they have successfully authenticated. Nmap, for example, will create a complete, legal TCP session when scanning port 22. (It's verifying that the daemon is
sshd
, checking version strings, etc.) This person could be running a simple port scanner or even attempting to brute-force your passwords.To figure out what's actually happening, you'll need to spend some quality time with your logs. Spend most of your time looking for successful and failed logins. Also just running "
who
" will let you know if someone is actually logged in via that connection.The output of
last
can also be useful.From Insyte -
Insyte beat me to it.
To drop all connections from that IP:
iptables -A INPUT -s 125.211.221.145 -j DROP
CaseyIT : Thanks, I ran that....and it seemed to chase them offFrom Warner -
You can use a package such as BlockHosts to stop all unsolicited connections of this kind. Here's a nice tutorial - it's for Debian Etch but nearly all of it applies to Ubuntu as well.
From gareth_bowles -
I run a program called fail2ban which reads the logs of common daemons such as ssh and ftp. It uses regular expressions to monitor failed login attempts in those logs, and updates firewall rules to block the ip's of would be intruders. You can customize the behavior of fail2ban in ways such as how many failed attempts before an ip is blocked and how long it stays blocked. It works very well and I'm quite pleased with it. Check it out here.
Though I'm not familiar with gareth_bowles' BlackHosts, I suspect it is similar to fail2ban.
Richard Holloway : DenyHosts is a similar thing but extremely easy to install and set up. Also has a online collaboration so you can share your blocked IPs with other servers running DenyHosts and block the baddies that have tried to crack others before they try you. I think fail2ban is a more recognised solution to this problem though.From Wagnarock -
- Don't run ssh on port 22.
- Don't allow connections to whatever port you do run ssh on from the entire internet. ** If you need to connect from random locations install knockd.
- Don't run ftp.
jdizzle : Can I come visit you at your secure mountain compound someday? ;)ceretullis : My advice exactly. For even better security than knockd, require an IPSEC VPN connection to network and tunnel your SSH traffic over that. I.e. don't expose your SSH server to the world.From Justin
0 comments:
Post a Comment