Potential SSH security problem?

I just did a 'netstat -a' on my FreeBSD machine. I discovered the following:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 40 turban.ssh host90.embarqser.60230 ESTABLISHED
tcp4 0 0 turban.ssh host90.embarqser.59985 LAST_ACK
tcp4 0 0 turban.ssh host90.embarqser.47224 TIME_WAIT
tcp4 0 0 turban.ssh host90.embarqser.9304 LAST_ACK

Could there be someone intruding my machine? My hostname is 'turban' as you can see. I'm really 'new' about system security. Could someone enlighten me?

From /var/log/auth.log, a lot of errors like:

May 4 20:07:10 turban sshd[47801]: Failed keyboard-interactive/pam for invalid user backup from 76.7.43.90 port 11831 ssh2

May 4 20:07:13 turban sshd[47804]: error: PAM: authentication error for bin from 76.7.43.90...

will

Posted 2011-05-04T12:26:17.300

Reputation: 141

a netstat -an is better, gives IP addresses instead of names. – nik – 2011-05-04T12:30:40.383

Hi i did a netstat -an as you suggested. This is what I found out. http://dawhois.com/traceroute/?query=76.7.43.90 host90.embarqservices.net is connecting to my machine! This is an IP from USA. Really weird!

– will – 2011-05-04T12:34:38.900

It's hard to know whether you have a problem from the information posted. Did you connect to anyone through ssh? Are you running a sshd? Do you allow anyone to connect from outside? What is the output of last (1)? What is the out put of w (1)? What processes are revealed by (for instance) "ps aux"? – CarlF – 2011-05-04T12:36:12.283

last and w yield IPs which I can recognize. Probably someone is trying to log in my machine. – will – 2011-05-04T12:43:38.783

Not exactly what you're looking for, but perhaps still a good read: http://superuser.com/questions/244214/what-are-possible-security-issues-with-an-ssh-daemon/244234#244234

– BloodPhilia – 2011-05-04T17:12:50.607

Answers

Look at /var/auth.log for more information.

If someone is trying to access to your machine is loged in this file.

Example from my auth.log:

Apr 24 13:53:16 my-server sshd[8107]: Failed password for invalid user db2 from 123.123.123.123 port 59167 ssh2

To see IP of connected (SSH connections) users type this:

netstat -atn | egrep '(:22)' | egrep -v '(:::|0.0.0.0)' | awk '{print substr($5,0,length($5)-5)}' | sort | uniq -c

This will show you IP and number of connection/IP

Wolfy

Posted 2011-05-04T12:26:17.300

Reputation: 236

From /var/log/auth.log, a lot of errors like what I pasted below. – will – 2011-05-04T12:37:37.023

May 4 20:07:10 turban sshd[47801]: Failed keyboard-interactive/pam for invalid user backup from 76.7.43.90 port 11831 ssh2 May 4 20:07:13 turban sshd[47804]: error: PAM: authentication error for bin from 76.7.43.90 – will – 2011-05-04T12:38:27.507

@Will, you should keep updating your question with data your are posting as comments here -- it will help others to quickly grasp your problem statement. – nik – 2011-05-04T12:40:21.233

I would not worry too much about this specific discovery. Maybe somebody did try to "~~port-knock~~ port-scan" on your SSH-port (e.g. with a dictionary scanner), but didn't succeed since you hopefully have a proper password or auth-key only.

To brighten your knowledge, read this blogpost Improve SSH Remote Access Security to see what else you can do, esp. the part "Allow Only Specific User to Log In by SSH". And do not allow root logins through SSH!

Henk

Posted 2011-05-04T12:26:17.300

Reputation: 248

I guess you refer to the term "port-scan". The term "port-knock" has a very different meaning (http://www.portknocking.org/ would be an interesting read).

– nik – 2011-05-04T12:52:10.007

@nik You're completely right! Changed the text (and also looking into Knock (http://www.zeroflux.org/projects/knock) now. ;-)

– Henk – 2011-05-04T21:54:28.480

The short answer is that someone is trying to break into your system, most likely via a variation on the typical dictionary attack (i.e. by trying common username/password combinations, instead of just randomly guessing).

In addition to the excellent advice from @Henk (I create a specific group, usually sshusers, and only permit users in that group to log in, for example), I would suggest installing Fail2ban on your system with an SSH jail set up. This will elevate the difficulty of a brute-force attack against your server to the realm of nigh impossibility, since attackers will find themselves suddenly shut off for a period of time when they try; combine this with the how-to entitled Fail2ban monitoring Fail2ban to create an elevated response to an attack (mine's set up with the default 10 minute ban initially, and then a full week if they're persistent), and you can just stop worrying altogether (provided you have at least adequately strong passwords; use pubkeys instead and you're all but invincible!).

Kromey

Posted 2011-05-04T12:26:17.300

Reputation: 4 377

My logs are full of russians, americans trying English names on my 22nd port. Too bad for them I moved SSH port to 307, and I use port-knocking on port 54321 to open the SSH port.

karatedog

Posted 2011-05-04T12:26:17.300

Reputation: 809