Saturday, January 29, 2011

Unsolicited SSH connection

I've have had an Ubuntu 8.04 server running and on the Internet for a few days....I have Ports 21 and 22 open for FTP and SSH...All other ports are closed.

I ran


And found this

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State 

tcp6       0     68 ESTABLISHED

It appears as if has established an SSH connection to the server...and is sending packets out... Is it possible for someone to establish an SSH connection without authenticating?

I did Reverse DNS lookups on the address...and it seems to oringnate from China according to this resource...

I assume most servers are fending off stuff like this all the time, but is it unusual to have someone sit on a port like this? And is there an way to block certain IP's at the server level?

The server is sitting behind a substantial Cisco firewall ..

  • All "ESTABLISHED" means is that the tcp session is open. It does not mean that they have successfully authenticated. Nmap, for example, will create a complete, legal TCP session when scanning port 22. (It's verifying that the daemon is sshd, checking version strings, etc.) This person could be running a simple port scanner or even attempting to brute-force your passwords.

    To figure out what's actually happening, you'll need to spend some quality time with your logs. Spend most of your time looking for successful and failed logins. Also just running "who" will let you know if someone is actually logged in via that connection.

    The output of last can also be useful.

    From Insyte
  • Insyte beat me to it.

    To drop all connections from that IP:

    iptables -A INPUT -s -j DROP

    CaseyIT : Thanks, I ran that....and it seemed to chase them off
    From Warner
  • You can use a package such as BlockHosts to stop all unsolicited connections of this kind. Here's a nice tutorial - it's for Debian Etch but nearly all of it applies to Ubuntu as well.

  • I run a program called fail2ban which reads the logs of common daemons such as ssh and ftp. It uses regular expressions to monitor failed login attempts in those logs, and updates firewall rules to block the ip's of would be intruders. You can customize the behavior of fail2ban in ways such as how many failed attempts before an ip is blocked and how long it stays blocked. It works very well and I'm quite pleased with it. Check it out here.

    Though I'm not familiar with gareth_bowles' BlackHosts, I suspect it is similar to fail2ban.

    Richard Holloway : DenyHosts is a similar thing but extremely easy to install and set up. Also has a online collaboration so you can share your blocked IPs with other servers running DenyHosts and block the baddies that have tried to crack others before they try you. I think fail2ban is a more recognised solution to this problem though.
    From Wagnarock
    • Don't run ssh on port 22.
    • Don't allow connections to whatever port you do run ssh on from the entire internet. ** If you need to connect from random locations install knockd.
    • Don't run ftp.
    jdizzle : Can I come visit you at your secure mountain compound someday? ;)
    ceretullis : My advice exactly. For even better security than knockd, require an IPSEC VPN connection to network and tunnel your SSH traffic over that. I.e. don't expose your SSH server to the world.
    From Justin


Post a Comment