|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
sshd logging - can we get the ssh command?
My FreeBSD server at home is periodically subjected to distributed hack attempts (which inevitable fail for various reasons). It is not unusual to see these involve over 200 unique IP addresses in a single day. I find these attempts to be little more than annoying, and the distributed nature seems to make it rather meaningless to report them or do much of anything else proactive or reactive for them.
However I have been wondering how my poor little server at home ever came to be subjected to this to begin with. I host only my own web pages, and thy are so insignificant that the main page on said server isn't even indexed by google. Of course my server could be accessed over ssh via two different methods of calling by address - either by name or by numeric address. The name is rather obscure (via dyndns.org) so the odds of someone guessing it at random are rather small. I suspect it is more likely that someone did a scan on port 22 over a great range of IP addresses and found mine to be open. Is there any way to confirm this? I would like sshd, if possible, to tell me who accesses my server via the command Code:
ssh myserver.mydomain.youcantguessthis.org Code:
ssh 123.234.231.132 |
|
|||
This is just an Internet nuisance, as long as your own setup is secure.. these attempts will remain simply log noise, which your HTTP server likely gets a fair share of.
Public key authentication only, use an alternative port if you want.. etc. |
|
|||
Quote:
I rather suspected that this information wasn't retained or passed anywhere, that sshd knows only where the system on the other end is coming from and not how it issued the ssh command. And of course I rather doubt I could talk the bot-masters into installing a new ssh client on their zombies so that I could have that information |
|
||||
Quote:
__________________
Kill your t.v. |
|
||||
I think I understand where your confusion comes from. Domain names are part of URLs, which is sent from the browser to the webserver. But URLs are not part of an SSH connection. And there are plenty of other Internet applications that do not use URL/URIs.
Here's how DNS works, in general, for Internet applications. If URLs are used, they're passed in the first data packet after a TCP connection is established. That doesn't happen for ssh:
|
|
||||
Computers only know about IP addresses, and only connect via IP addresses. Period.
Humans know about hostnames and prefer to use symbolic hostnames. Hence, DNS was born, to allow us simple humans to use nice names for servers. All the underlying communication, though, happens using just IPs. Some protocols, like HTTP, allow the remote hostname to be included, to allow for things like virtualhosts (multiple unique hostnames all pointing to a single IP). SSH is not one of these protocols. |
|
||||
Welcome to the world of the internet. Like has been stated, all this is just "noise". They have no target specifically, they are just looking for weak security to exploit. It does no good to try to block these as there are so many of them and a good number of these are spoofing perfectly good IP addresses so in some cases you would actually be doing yourself harm by blocking legitimate traffic.
The best thing you can do if you want to take the load off your server is to set up a good firewall not on your server but separately so that CPU cycles are not being used to deny access. I run pfsense boxes in front of all my servers and it's a wonderful setup. Even my Windoze admins can use the easy web GUI and I can still access the box via CLI if I want to. Don't lose any sleep over these "attacks" as they aren't directed at you per se, and as long as they aren't getting in, you'll be fine. -Tim |
|
||||
Quote:
Crawling through the web, using some sort of bot system to check every host they can find for open ssh ports to try. I would expect if this was the case that the attempts would come by "ssh myobscurehostname.youwontguessthis.org". Or, crawling the internet, looking for open ssh ports on any system they can get a response from. I would expect if this was the case that the attempts would come by "ssh 123.45.67.89". Being as my web server is likely in the bottom .001% of the internet in terms of popularity (maybe 2 or 3 unique hits per day) I figure the second is more likely. I also figure that the bot-masters are likely smart enough to know that ssh and httpd are not necessarily employed together in all cases. Though ultimately this is just a question for my own sake. I don't expect that it would in any way help to resolve the situation. Quote:
Quote:
Quote:
So to reiterate, I'm not worried right now. I'm just curious as to how they found my system to begin with. I know that of course people have scanned the internet for open ports for years (a win2k box I had with cygwin sshd was once found in less than a half hour), so that is what I figure the most likely way that my server was found. |
|
||||
Quote:
Quote:
$ nmap -p 22 192.168.0.0/24 That will search every IP from 192.168.0.0 through 192.168.0.255 for hosts with port 22 open. Takes maybe 3 seconds, most of which is just displaying the info. The actual scan takes milliseconds. Now expand that out to use big blocks of IPs, and wrap it in a script that connects to open SSH ports, and you see what the script kiddies are doing. It has nothing to do with hostnames and everything to do with IPs. |
|
|||
Quote:
I suspect others have reported similar things to this before, but my logs looked like this not too long ago: Code:
Apr 12 18:30:05 nfsbox sshd[79901]: error: PAM: authentication error for illegal user amora from server.eshops.lt Apr 12 18:31:09 nfsbox sshd[79904]: error: PAM: authentication error for illegal user amora from a1-grsph1-006.tosa.pl Apr 12 18:33:13 nfsbox sshd[79922]: error: PAM: authentication error for illegal user amorina from 195.66.185.185 Apr 12 18:34:14 nfsbox sshd[79925]: error: PAM: authentication error for illegal user amorina from s112.silver.fastwebserver.de Apr 12 18:35:30 nfsbox sshd[79931]: error: PAM: authentication error for illegal user amorina from 221.130.177.154 Apr 12 18:36:18 nfsbox sshd[79934]: error: PAM: authentication error for illegal user amorina from 85.17.184.11 Apr 12 18:37:25 nfsbox sshd[79937]: error: PAM: authentication error for illegal user amorina from 190.5.228.134 Apr 12 18:38:32 nfsbox sshd[79940]: error: PAM: authentication error for illegal user amory from berryx.homedns.org Apr 12 18:39:27 nfsbox sshd[79943]: error: PAM: authentication error for illegal user amory from 208.89.208.193 |
|
|||
Quote:
Quote:
On another machine that has been up for some time my "ssh-offenders" table auto-populated from the pf firewall has several dozen entries already over the last week - I clear it out one in a while. Bottom line: use public-keys for access; disable PermitRootLogin in /etc/ssh/sshd_config, and consider using PF. The latter is a good exercise even if it don't feel blocking the offenders is necessary, because you'll have gained some knowledge and will have a working packet filter config running and be able to extend it when something more serious than random brute force ssh attempts shows up. Oh yeah... "don't worry, be happy". There are other security fish to fry. |
|
|||
Quote:
Quote:
Really, I am interested in it more from an "informatics" standpoint: Where are the systems that are being used for this? How many times does a single system try in a given time frame? How do the attempts per unit time vary over time? How much deviation is there between different names or systems? How does the logic change over time (regarding attempts / name, attempts / address, attempts / unit time)? What factors are common between the systems who make the most attempts? And of course How did my system end up on the list of targets for these (which we have already addressed here)? But these questions are all for my own interest and nothing else. I don't expect that I would in any way be able to stop the botnets by answering those questions. I know that there are more pressing issues in the world in general and even in the worlds of FreeBSD or openssh security. I'm a scientist. I find data to be interesting. When my own research (which is not related to this in the least) has data-less days I try to find other topics where there is data that I find interesting. |
|
|||
Some of your questions are answered in http://www.aptitudetechnology.com/wh...rute_Force.pdf and http://www.securityfocus.com/infocus/1876
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
From the second article J65nko cited:
Quote:
|
Tags |
freebsd, log, security, ssh, sshd |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pflog not logging. | bsdnewbie999 | OpenBSD General | 9 | 13th March 2009 11:19 PM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |
Network + aMule Logging Problems | disappearedng | FreeBSD General | 0 | 28th August 2008 09:22 PM |
spamd logging question | roundkat | OpenBSD General | 10 | 11th June 2008 01:27 PM |
sshd and timeout | Sunsawe | FreeBSD Security | 6 | 29th May 2008 12:54 PM |