Any danger from these ports?
Paul Iadonisi
pri.rhl3 at iadonisi.to
Sat Jan 8 22:54:31 UTC 2005
On Sat, 2005-01-08 at 22:38 +0000, Paul wrote:
[snip]
> There are few things in my logs which are suspicious...
>
> First are a couple like this
>
> Jan 1 22:18:35 T7 sshd[31409]: Invalid user test
> from ::ffff:70.56.41.21
> Jan 1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares-
> consulting.com, but this does not map back to the address - POSSIBLE
> BREAKIN ATTEMPT!
>
> I seem to be subjected to a dictionary attack.
It's been going on for several months now. Must be some kind of worm
out there, but it's harmless provided you take some precautions.
> Should I be overly worried? I've closed ssh on my router, so that's one
> line of defence in the way :-)
>
And that probably covers it all. If you need ssh enabled on an
internet connected host, I would recommend at least one, maybe all of
the following:
1) Allow rsa key logins only.
2) Restrict by IP address, if possible.
3) Restrict by username if possible.
4) Run sshd on a port other than 22.
5) Use port knocking if you are really paranoid. (Though that hasn't
had enough field testing to trust it as the only security measure,
for sure.)
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets
More information about the test
mailing list