Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?



Bill Vermillion wrote:
In article <47E6160C.7080405@xxxxxxx>,
Steve M. Fabac, Jr. <smfabac@xxxxxxx> wrote:
I have a client running SCO 5.0.5 with OpenSSH 3.4p1
installed.

Since SSH was installed, we have been getting hits from
people on the Internet scanning port 22.

Normally they give up and go away. However, I have noticed
an unusual number of scans from foreign IP addresses using
valid names on the system (the names below in the block for
a single source IP are the *only* names logged from that
IP):

....

Anybody have any ideas, thoughts or comments on this?

I've seen as high as 10,000 such attemts per day - but these are
on mail and web servers directly connected to a tier 1 backbone
[level 3] in their Orlando colo. They actually switch [not route]
connections across the US so I can see 1 hop from Orlando to
Seattle - that's one reason they carry about 60% of the 'net
traffic.

But as Nico said in his reply to you, you really shouldn't put SCO
on a directly connected internet.

Bill,

I neglected to indicate that the machine is behind a firewall and port
22 is forwarded from the public IP address to the LAN IP address of
the box.


IMO the ONLY machines that should be do so would be machines
that MUST be connected - eg mail servers and web servers. All
other machines should be behind a firewall.

Ideally 3 NIC cards connected to SWITCHES not hubs, would
have a public access IP, and those sould connect to the second set
[A DMZ area] with such things as your web servers, and the 3rd
NIC would go to your business machines on a totally private network
so nothing from the outside world would ever get through.

It's easy and cheap to set up a separate mail/web server
and keep you important machines hidden. I run on FreeBSD since
swithcing an ISP from SGIs back in 1995 and it can run on a slim
machine and is awfully solid.

If you think you are seeing a lot of attacks, just wait - they get
more numerous as time goes by.

Bill


I have taken the steps to change from the default ssh port of 22 to
a high port number and that has stopped the repeated probes for now.
We have discussed this in the past and you have indicated that you have
seen ssh probes on high port numbers. We will cross that bridge if/when
it occurs.

Further tests show that my concerns were unwarranted as ssh 3.4p1
installed on 5.0.5 does not log attempts with unknown user names.
Thus the log only contains *hits* when the dictionary attack matches
an existing user's login name.

--
Steve Fabac
S.M. Fabac & Associates
816/765-1670
.



Relevant Pages

  • Strange connections to ports 1214, 6346 and 28800
    ... When I did an Ipconfig on the machine connected to the cable modem it ... What I saw where lots and lots of connections to OTHER machines from ... other machines to TCP port 1214, TCP port 6346 and UDP port 28800. ...
    (Incidents)
  • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
    ... connections across the US so I can see 1 hop from Orlando to ... IMO the ONLY machines that should be do so would be machines ... that MUST be connected - eg mail servers and web servers. ... Switching the SSH port to, say, 1022 and making sure there are ...
    (comp.unix.sco.misc)
  • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
    ... people on the Internet scanning port 22. ... connections across the US so I can see 1 hop from Orlando to ... IMO the ONLY machines that should be do so would be machines ... that MUST be connected - eg mail servers and web servers. ...
    (comp.unix.sco.misc)
  • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
    ... people on the Internet scanning port 22. ... connections across the US so I can see 1 hop from Orlando to ... IMO the ONLY machines that should be do so would be machines ... that MUST be connected - eg mail servers and web servers. ...
    (comp.unix.sco.misc)
  • Port "0" scanning
    ... We are noticing a massive increase in connections from Port "8" on external ... machines to Port "0" on our machine. ... Is there a way to stop ACCEPTing these connections? ... experiencing an overall sluggishness in internet responsiveness in recent ...
    (alt.computer.security)