Topic: SME6admin reports open SSH, but logs show otherwise. Why?

[mackayr]

I recently had an attack on my SSH port whereby a computer (obviously) repeatedly tried different usernames to access my server SSH port.  I've got public/private key access installed now and passwords disabled, so I'm sure that access was not granted.  In my log files, it shows the attemtps as illegal users.  However, I received three emails (5 minutes in between) from my server (SME6admin) that indicates that the SSH port is open.

What should I make of this?  Is it possible that since the attempts were frequent and close enough together that the server *thought* the port was actually open when it actually wasn't?

Please advise.

Thanks,

Rob

[mackayr]

I just had another 10 minutes last night (according to SME6Admin) that my SSH port was open though my "messages" log file indicates numerous unsuccessful attempts.  Is SME6Admin prone to false positives?  Should I be concerned?

[CharlieBrady]

I recently had an attack on my SSH port whereby a computer (obviously) repeatedly tried different usernames to access my server SSH port.

So did everyone.

I've got public/private key access installed now and passwords disabled, so I'm sure that access was not granted.  In my log files, it shows the attemtps as illegal users.  However, I received three emails (5 minutes in between) from my server (SME6admin) that indicates that the SSH port is open.

What's SME6admin?

If you have public/private key access enabled, and ssh enabled, then the SSH port will be open. It's gotta be open for ssh access to work. That doesn't mean that ssh will allow password access.

If you want the ssh port to be closed, then disable SSH access.

[mackayr]

SME6Admin details are here.  

http://firewall-services.com/sme6admin-howto-en.html

The reports seem to conflict, which is my concern.  Which one is right.

[raem]

mackayr

>...The reports seem to conflict

I think it is your interpretation that conflicts.

You said "SME6admin indicates that the SSH port is open"
and that's what Charlie said, if ssh is enabled then the ssh port is open.

Unsuccessful attempts are exactly that, wrong username & password combinations or wrong keys, that doesn't mean the ssh port is closed though.

[mackayr]

Sorry.  It's my terminology that's off.  When I said that SME6Admin reports that my port is open, I should have said that it reports that a *session* is open.  In fact, I just had the same thing happen this morning.

Here's the text of the SME6Admin email:

----------------------------------------------------
my.domain :Fri Aug 12 05:20:25 2005 There are 1 opened SSH sessions on the server You had fixed the alert limit at 1 sessions Use the server-manager to handle this problem Check that it is known administrative connections, and not hackers.
----------------------------------------------------

I received such a report every 5 minutes from 5:20 - 5:55 and then a last one at 6:01 AM.

Interestingly, my messages log file shows pairs of entries like this...

----------------------------------------------------
Aug 12 05:11:42 linuxpc sshd[14840]: Illegal user b from 221.186.68.66
Aug 12 05:11:43 linuxpc sshd[14838]: reverse mapping checking getaddrinfo for host0.connectable.reality.com.64.68.186.221.in-addr.arpa failed - POSSIBLE BREAKIN ATTEMPT!
----------------------------------------------------

... about every second or so from 5:11 to 6:01.  I don't understandy why SME6Admin didn't report any opened sessions from 5:11 to 5:20.

(note the near-reciprical relationship between the two addresses - Is that relevant?  The latter address is that of a dedicated server that was likely used as a relay)

So why is there an apparent conflict between the two reports?  One is showing an open *session* (not port) and the other is reporting unsuccessful login attempts.  I have passwords disabled and allow only key access, so I feel relatively safe.

Also, what is this "reverse mapping" all about?  Is this the latest trend for hackers?  I haven't seen those entries in my logs before.

Lastly, I'd really like to quiet my logs (and provide peace of mind) by only allowing access from certain ip addresses.  I've resisted this for some time, because I like the flexibility, but this recent rash of SSH hacks has be a bit nervous.  What is the proper syntax for lists of allowed hosts with the following command I found in the forums:

----------------------------------------------------
/sbin/e-smith/db configuration setprop sshd AllowHosts <list>
where <list> is a comma separated list of IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24).
----------------------------------------------------

I certainly will want to include the range of computers on my own network 192.168.0.X as well a couple of remote locations that I access my server from.  I don't understand what the "/24" does in the above example.  Does that include all addresses ending in the range X.X.X.0 to X.X.X.24?

Thanks in advance for any guidance.
Rob