Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Question about ssh attacks

  1. #1
    Join Date
    Jan 2009
    Location
    Queens
    Posts
    126

    Default Question about ssh attacks

    Hi guys I keep seeing the following lines on my logs, I looked around and it was saying something about me trying to connect via ssh to another server and looping back.
    The thing is Im not trying to connect to anything can any one help me understand what the following lines mean:

    Sep 16 17:03:52 www sshd[15570]: reverse mapping checking getaddrinfo for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149] failed - POSSIBLE BREAK-IN ATTEMPT!
    Sep 16 17:03:52 www sshd[15570]: Invalid user admin from 173.160.192.149
    Sep 16 17:03:53 www sshd[15572]: reverse mapping checking getaddrinfo for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149] failed - POSSIBLE BREAK-IN ATTEMPT!
    Sep 16 17:03:53 www sshd[15572]: Invalid user admin from 173.160.192.149
    Sep 16 17:03:54 www sshd[15574]: reverse mapping checking getaddrinfo for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149] failed - POSSIBLE BREAK-IN ATTEMPT!

    It goes on and on and on.
    Hmmmm I wonder how long before im good at this????????????

  2. #2
    Join Date
    Nov 2008
    Location
    GTA, Ontario, Canada
    Posts
    15

    Default Re: Question about ssh attacks

    Hi
    In which log you have found it? Do you run any server on your box (http, ftp, etc)? And do you use any kind of dynamic DNS service?
    From this you can tell that your machine is trying to scan ports and possibly brut force to 173.160.192.149, which is on Camcast network (looks like this IP leased to CBC-SEATTLE-17 ). (but I belive you already know it)

    It would be nice if you could catch it with WireShark. It be easier to analyse those packets. Once a while I have similar traffic but it oginates from a remote location - mostly from California, Korea and China. I simply blocked IPs from Korea and China with iptables.
    cheers

  3. #3
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,528

    Default Re: Question about ssh attacks

    Looks like some one trying to break in and failing to me.

  4. #4
    Join Date
    Nov 2008
    Location
    GTA, Ontario, Canada
    Posts
    15

    Default Re: Question about ssh attacks

    My bad, you're right gogalthorp. 173.160.192.149 is trying to get in.

  5. #5
    Kevin Miller NNTP User

    Default Re: Question about ssh attacks

    On 09/16/2010 03:36 PM, hgallo wrote:
    >
    > Hi guys I keep seeing the following lines on my logs, I looked around
    > and it was saying something about me trying to connect via ssh to
    > another server and looping back.
    > The thing is Im not trying to connect to anything can any one help me
    > understand what the following lines mean:
    >
    > Sep 16 17:03:52 www sshd[15570]: reverse mapping checking getaddrinfo
    > for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149]
    > failed - POSSIBLE BREAK-IN ATTEMPT!
    > Sep 16 17:03:52 www sshd[15570]: Invalid user admin from 173.160.192.149


    Do you have a firewall between your computer and the internet? It's not
    a bad thing to put a little NATting router between your DSL or cable
    modem and let it NAT your box. Makes it harder to access your box from
    the outside. If they can't see you, they can't scan you unless you
    explicitly open the ports on the firewall/router.

    ....Kevin
    --
    Kevin Miller - http://www.alaska.net/~atftb
    Juneau, Alaska
    In a recent survey, 7 out of 10 hard drives preferred Linux
    Registered Linux User No: 307357, http://counter.li.org

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    11,998
    Blog Entries
    3

    Default Re: Question about ssh attacks

    That sort of thing is pretty much par for the course if you are allowing ssh connections.

    Best is to only ever login with public key authentication, and configure sshd_config so that only public key authentication is allowed. That does require that you set up keys as needed.

    Once you restrict to public key authentication, they they aren't going to be able to break in. So you don't have to worry about it.

  7. #7
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Question about ssh attacks

    nrickert wrote:
    > Once you restrict to public key authentication, they they aren't going
    > to be able to break in. So you don't have to worry about it.


    probably true if "they" are not a deep pocket (aka: government) backed
    shop with crypto and petraFLOPS resources like the NSA and their ilk..

    --
    DenverD
    CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

  8. #8
    Join Date
    Jan 2009
    Location
    Queens
    Posts
    126

    Default Re: Question about ssh attacks

    Quote Originally Posted by tomekania View Post
    Hi
    In which log you have found it? Do you run any server on your box (http, ftp, etc)? And do you use any kind of dynamic DNS service?
    From this you can tell that your machine is trying to scan ports and possibly brut force to 173.160.192.149, which is on Camcast network (looks like this IP leased to CBC-SEATTLE-17 ). (but I belive you already know it)

    It would be nice if you could catch it with WireShark. It be easier to analyse those packets. Once a while I have similar traffic but it oginates from a remote location - mostly from California, Korea and China. I simply blocked IPs from Korea and China with iptables.
    cheers
    the log is from /var/log/messages and yes I am running an http server as well as a dns service. I wonder if it is my machine trying to brute force or if as the word states they are using reverse mapping to get some more information about my machine. I won't be able to use wireshark it seems that my company had some holes in their firewall including ssh and It was just fixed lets see what happens next, if the attacks continue I will post a wireshark analysis. Thanks..
    Hmmmm I wonder how long before im good at this????????????

  9. #9
    Join Date
    Jan 2009
    Location
    Queens
    Posts
    126

    Default Re: Question about ssh attacks

    Quote Originally Posted by Kevin Miller View Post
    On 09/16/2010 03:36 PM, hgallo wrote:
    >
    > Hi guys I keep seeing the following lines on my logs, I looked around
    > and it was saying something about me trying to connect via ssh to
    > another server and looping back.
    > The thing is Im not trying to connect to anything can any one help me
    > understand what the following lines mean:
    >
    > Sep 16 17:03:52 www sshd[15570]: reverse mapping checking getaddrinfo
    > for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149]
    > failed - POSSIBLE BREAK-IN ATTEMPT!
    > Sep 16 17:03:52 www sshd[15570]: Invalid user admin from 173.160.192.149


    Do you have a firewall between your computer and the internet? It's not
    a bad thing to put a little NATting router between your DSL or cable
    modem and let it NAT your box. Makes it harder to access your box from
    the outside. If they can't see you, they can't scan you unless you
    explicitly open the ports on the firewall/router.

    ....Kevin
    --
    Kevin Miller - A Turn for the Better
    Juneau, Alaska
    In a recent survey, 7 out of 10 hard drives preferred Linux
    Registered Linux User No: 307357, Linux Counter: Home Page
    Yes there is a lot of hardware before my machine although obviously it wasn configured properly.
    Hmmmm I wonder how long before im good at this????????????

  10. #10
    Join Date
    Jan 2009
    Location
    Queens
    Posts
    126

    Default Re: Question about ssh attacks

    Quote Originally Posted by nrickert View Post
    That sort of thing is pretty much par for the course if you are allowing ssh connections.

    Best is to only ever login with public key authentication, and configure sshd_config so that only public key authentication is allowed. That does require that you set up keys as needed.

    Once you restrict to public key authentication, they they aren't going to be able to break in. So you don't have to worry about it.
    Yes I had suggested that many times, but some people who are also involved find it complicated. I have to suck it up and find other ways. Thanks everyone
    Hmmmm I wonder how long before im good at this????????????

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •