HPE Community
Operating System - HP-UX
1756901 Members
2751 Online
108857 Solutions
New Discussion юеВ

Re: Too many failed ssh connection

 
baiju_3
Esteemed Contributor

тАО08-15-2005 03:28 AM

тАО08-15-2005 03:28 AM

Too many failed ssh connection

Hi ,

I am getting the beow message on a server every almost 5 minutes .

sshd[12170]: Failed password for root from 132.126.1.4 port 56814 ssh2
Can you help me to find out which program is causing this .

I checked cron log , ps -aef , netstat -a |grep 56814 ,lsof -i tcp:56814
etc , but could not find which process is doing this mischeief.

Please help.

Thanks,
BL.



Good things Just Got better (Plz,not stolen from advertisement -:) )
0 Kudos
Reply
3 REPLIES 3
RAC_1
Honored Contributor

тАО08-15-2005 03:34 AM

тАО08-15-2005 03:34 AM

Re: Too many failed ssh connection

You are getting ssh request from 132.126.1.4
Check what is this ip address and why doing ssh on that port.
your sshd most probabelly not listening on that port. By default it listens on 22 port.

nslookup 132.126.1.4

If you want to deny those requests you can make use of /etc/hosts.deny (hp-ux ssh comes in built tcp wrappers.) or /var/adm/inetd.sec

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Tom Schroll
Frequent Advisor

тАО08-15-2005 04:11 AM

тАО08-15-2005 04:11 AM

Re: Too many failed ssh connection


BL,

The sshd process is 12170 (try "ps -ef | grep 12170") as shown in the square brackets "sshd[12170]" from the log entry. Also try "ps -ef | grep ssh" and see if that comes up with a ssh daemon running.

Indeed, the normal listening port is 22. The 56814 is possibly a temporary high port that the remote client is using to contact your port 22, which is irrelevant. Since it is temporary, lsof will not show it because it lives as long as the user is trying to connect and then the next connection uses another arbitrary port.

If this is an internet facing machine, chances are this is a brute force attack. If you do not need sshd to be running, then disable it. *OR* more importantly, if this is an internet facing machine, then disable telnet and rsh/rlogin and use ssh instead!
You can disable root logins from ssh in the sshd_config file (PermitRootLogin no). Due to the abundance of ssh attacks these days, this is how I have any and all internet facing machines configured. If I need to login as root remotely, I login as a normal user and then use sudo or su.

And yes, you can block this IP address using tcp_wrappers. However, if this is an attack, chances are they will try again from another IP address (or a spoofed one).

-- Tom

-- Tom
If it ain't broke, it needs optimized.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО08-15-2005 07:25 AM

тАО08-15-2005 07:25 AM

Re: Too many failed ssh connection

ssh attacks are very, very common, especially if this computer faces the open Internet. To find out something about the address, take the IP addr and plug it into samspade.org. But if you're using ssh on your systems, you need to also change the default portr number (not 22) and have all your legitimate users configure their clients to use the new port number. ALWAYS disable direct root logins from any network connection (telnet, ssh, rlogin, etc). And look at a firewall to help with these attacks. They are automated (as you've seen, every 5 minutes) and will continue to increase until you change the default port for ssh.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.