[TriLUG] SSH Probing...

Jeff Bollinger jeff01 at email.unc.edu
Wed Mar 13 09:52:52 EST 2002 

Yes, there have been SSH scans running rampant for quite awhile now. 
Take a look at this for more info:

http://razor.bindview.com/publish/advisories/adv_ssh1crc.html


The best thing to do is to upgrade to the most recent version at 
http://www.openssh.org, and make these changes to your sshd_config file 
(at least, this is what I like to do, though I'm pretty sure you have to 
disallow protocol I)

Change:

Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::


to:


Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::



Also change:


# Authentication:

LoginGraceTime 600

PermitRootLogin yes

StrictModes yes



to:


# Authentication:

LoginGraceTime 600

PermitRootLogin no

StrictModes yes



Hope that helps,
Jeff



Steve wrote:

> Don't know if any of you have noticed this or not, but over the last few months
> I have started to get hackers probing my SSH port on my Linux box on my cable
> modem.  There must be some kind of SSH exploit that they are looking for..
> 
> Mar 12 01:34:00 linux sshd[26174]: scanned from 208.63.48.13 with
> SSH-1.0-SSH_Version_Mapper.  Don't panic.
> Mar 12 01:34:01 linux sshd[26173]: Did not receive identification string from
> 208.63.48.13.
> Mar 12 02:16:49 linux sshd[26231]: Did not receive identification string from
> 63.96.15.7.
> Mar 12 04:58:45 linux sshd[26772]: scanned from 212.180.37.138 with
> SSH-1.0-SSH_Version_Mapper.  Don't panic.
> Mar 12 04:58:45 linux sshd[26771]: Did not receive identification string from
> 212.180.37.138.
> 
> I'm going to start making a list of the IP's and denying any incoming traffic
> from them.  Although I doubt that this will help much....
> 
> (I'm still getting lots of "Code Red" probes, but that doesn't bother Apache...)
> 
> 


-- 
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8jl4RsjlZ7iAc5YQRAmKDAJwOjbcOzgRmv7StkrkQ65wc2fr/CACeKSin
vReOfDypM1ZZRt2TxOqNBoM=
=iNi7
-----END PGP SIGNATURE-----

More information about the TriLUG mailing list