FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-20-2012, 03:21 PM
Darac Marjal
 
Default Is it possible to hide the ip in ssh connection

On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote:
> On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
> > On 20.08.2012 17:02, lina wrote:
> >> On Monday 20,August,2012 09:59 PM, lina wrote:
> >>>> Hi,
> >>>>
> >>>> I ssh to a server which has 400+ users, active ones around
> >>>> 100.
> >>>>
> >>>> Frankly speaking, I would feel comfortable to hide my IP if
> >>>> possible,
> >>>>
> >>>> any suggestions (I checked the spoof, but seems not positive),
> >>>>
> >>>> Thanks with best regards,
> >>>>
> >>>>
> >> Another question, how do I know whether there are some people are
> >> attempting to invade my laptop, my username, ip are all exposed
> >> there.
> >
> > If you have SSHd and that is what you are worried about, grep ssh from
> > /var/log/auth.log .
>
> BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
> one.

You need to ask, not "what is", but "who is". More specifically:

$ whois 172.21.48.161
[...]
NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
OriginAS:
NetName: PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
[...]

In other words, it's someone else on your network.

[cut]
>
> Thanks again,
>
> Best regards,
>
>
> > I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
> >
> > And you might also want to install something like SSHGuard (package
> > sshguard) to protect your SSHd and other services, which it protects
> > from attackers. http://www.sshguard.net/
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/503254AB.8030203@gmail.com
>
 
Old 08-20-2012, 03:31 PM
lina
 
Default Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:21 PM, Darac Marjal wrote:
> On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote:
>> On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
>>> On 20.08.2012 17:02, lina wrote:
>>>> On Monday 20,August,2012 09:59 PM, lina wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I ssh to a server which has 400+ users, active ones around
>>>>>> 100.
>>>>>>
>>>>>> Frankly speaking, I would feel comfortable to hide my IP if
>>>>>> possible,
>>>>>>
>>>>>> any suggestions (I checked the spoof, but seems not positive),
>>>>>>
>>>>>> Thanks with best regards,
>>>>>>
>>>>>>
>>>> Another question, how do I know whether there are some people are
>>>> attempting to invade my laptop, my username, ip are all exposed
>>>> there.
>>>
>>> If you have SSHd and that is what you are worried about, grep ssh from
>>> /var/log/auth.log .
>>
>> BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
>> one.
>
> You need to ask, not "what is", but "who is". More specifically:
>
> $ whois 172.21.48.161
> [...]
> NetRange: 172.16.0.0 - 172.31.255.255
> CIDR: 172.16.0.0/12
> OriginAS:
> NetName: PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
> NetHandle: NET-172-16-0-0-1
> Parent: NET-172-0-0-0-0
> NetType: IANA Special Use
> [...]
>
> In other words, it's someone else on your network.

So I am under regular attacks recently, very gentle attack, only tried
few times each day?

How do I know who has this IP address? why s/he didn't change?

unbelievable, hope I am wrong here.

Best regards,
>
> [cut]
>>
>> Thanks again,
>>
>> Best regards,
>>
>>
>>> I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
>>>
>>> And you might also want to install something like SSHGuard (package
>>> sshguard) to protect your SSHd and other services, which it protects
>>> from attackers. http://www.sshguard.net/
>>>
>>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: http://lists.debian.org/503254AB.8030203@gmail.com
>>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5032583E.70006@gmail.com">http://lists.debian.org/5032583E.70006@gmail.com
 
Old 08-20-2012, 03:33 PM
Mika Suomalainen
 
Default Is it possible to hide the ip in ssh connection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 20.08.2012 18:15, lina wrote:
> BTW, what is the 172.21.48.161, seems in the old auth.log* also has
> this one.
>
> # zmore auth.log.2.gz | grep 172.21.48.161 Aug 5 16:05:13 Debian
> sshd[15369]: Did not receive identification string from
> 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: Invalid user
> administrator from 172.21.48.161 Aug 5 16:05:36 Debian
> sshd[15370]: pam_unix(sshd:auth): authentication failure; logname=
> uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 5 16:05:38
> Debian sshd[15370]: Failed password for invalid user administrator
> from 172.21.48.161 port 54999 ssh2
<...>

For me it looks like a bot, which is trying to guess usernames and
passwords to your system.
If you had sshguard or something similar installed, you would also see
message about that host being banned, because of failed authentications.

> Thanks again,

You're welcome
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMljbAAoJEE21PP6CpGcokD8P+QEwW6fcds R2fGqcmfhIlVt9
SdF9HCZ5pL1j5P5VrddRpEYq0aEQrxDyTe7dSiNepR+V+Xs5uh +v/MZjm1b4kuPi
QN65VWxMJWMuKKp98ZrJ/llIw0rkI+CVXIH4FJnON70J5IuHZJjO17SV3lO+TYyP
BwclQm7kGqDUuBzUv2ZllnH7sisdyhqVMm+uX7D0u3laJilbEZ VlJTB+UF6FAPqJ
9iR5gam0nU1fPjDZpm7CzDpfgrrh1Akte1TRF6D2yikJeeXWq/nCeL7A/w8fGe8W
m8vj4bdomJYP7ogx4BqPGo9wGfoMFNTAqpAQQMgS33IAmQNUM+ PI1CgXZXpF19jN
EdeTBxjAcxZnynI1yLR5kCJBIxR9fkkbTME5I16QVlnVqb9Ikj sMbny7XdrHZ9bj
cR6pYE0LPF8XCID5zWWjJPj5rYmJSyQYPZ1lEcqjZmJ9wWRf0x TRuirhKFBS8KiN
UaeOz1XcyJ++rJmv+l94xv1h+ZcDdHCoKMLzYvxLTn9eOJD8d9 Cz/4o+5ZemaLCO
L/c5JWLySWDPmMz8pH3o4TDSukmu1FTSgdgv1KS/m8Yfk8U7tmVWprs3QOftIUUA
5gXgRDiHlXLs1TtqI4JzDD4SM+W1xIq/3qjH+t6QEvH6lIGiVPzzjLAd7uiySP+f
TYuL0ElasnGztTx/nR+s
=FwK3
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 503258DD.6000703@users.sourceforge.net">http://lists.debian.org/503258DD.6000703@users.sourceforge.net
 
Old 08-20-2012, 03:35 PM
Mika Suomalainen
 
Default Is it possible to hide the ip in ssh connection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 20.08.2012 18:31, lina wrote:
> So I am under regular attacks recently, very gentle attack, only
> tried few times each day?

At least your auth.log says so and it shouldn't lie.

> How do I know who has this IP address? why s/he didn't change?

You probably don't. I don't understand this second question.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMllIAAoJEE21PP6CpGcoOP8QALmkYhizhE ORUT+0/BZt6IRX
V7iApVJF+X/4vqx4vgBjNBeRNMr6SQmee+6umrm/DQdOsZxMJpmbXXvAZGX+5x3f
gD3d9FyagvbGfZqHzT1OUxmcr7SkMcd1aBE0/aLmSATc7dvdXU9m4cj4PuXmLt7S
jO8GGnV1TIjaR+pLwLhJIrVm+FCjDirpwQgNQcFLrwKe/9I9/xTvF4Sfc4rPGeQP
I7KQFeoA/yS7qacgSFh4BqoOrTSUXfJ1RnKL4mKREn/GFqFLF4mxXPmXBNh2tRe+
DEprN90bCXFm++T2M+wvjhSYWlW/Te5skxVOSQ0FR8qu3Gcfg8yW09HwYG4JfjFE
eJKn2inh7kgrfYoP2ssHzNuOnhWv8H1bqSkDCKJ/WDhtvV2NIa7QuHsP2igibJfY
j3KlSCBszCJ3M+l/RAn85A1JXJNA5Hxh0aOW9ziwdJR9AbUdWOHjJHkvSDJr5qsj
T2RW+gpOVspORCU5VNrM6w4V1HFRjjzLri2KNkrSatlfUAQjXc tLgr/FHId8vGM/
j1Q2SW8fZvJIW9STTcS/9YTI6S2YBLrKGEBNR7lA9MZA6qu4aG4gahHi+tDPWqD1
0+oXdxdVs9KxNDTAdkSkRaJjvJQAOjn/WP2B2e5FrtIKVsN86izxabwJ9nTfnOV6
dafdCZWa05wdW4ycrTAe
=gq/2
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5032594B.9050800@users.sourceforge.net">http://lists.debian.org/5032594B.9050800@users.sourceforge.net
 
Old 08-20-2012, 03:36 PM
lina
 
Default Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:33 PM, Mika Suomalainen wrote:
> On 20.08.2012 18:15, lina wrote:
>> BTW, what is the 172.21.48.161, seems in the old auth.log* also has
>> this one.
>
>> # zmore auth.log.2.gz | grep 172.21.48.161 Aug 5 16:05:13 Debian
>> sshd[15369]: Did not receive identification string from
>> 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: Invalid user
>> administrator from 172.21.48.161 Aug 5 16:05:36 Debian
>> sshd[15370]: pam_unix(sshd:auth): authentication failure; logname=
>> uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 5 16:05:38
>> Debian sshd[15370]: Failed password for invalid user administrator
>> from 172.21.48.161 port 54999 ssh2
> <...>
>
> For me it looks like a bot, which is trying to guess usernames and
> passwords to your system.
> If you had sshguard or something similar installed, you would also see
> message about that host being banned, because of failed authentications.

I have just installed the sshguard,

I checked the time of the attempt connection from this ip, it's quite
regular. more like some program doing those things.

Aug 13 16:07:31
Aug 13 16:07:52
Aug 13 16:07:52
Aug 13 16:07:54
Aug 13 16:08:07
Aug 14 16:08:16
Aug 14 16:08:42
Aug 14 16:08:42
Aug 14 16:08:45
Aug 14 16:08:46
Aug 16 16:08:29
Aug 16 16:08:53
Aug 16 16:08:53
Aug 16 16:08:55
Aug 16 16:08:56
Aug 5 16:05:13
Aug 5 16:05:36
Aug 5 16:05:36
Aug 5 16:05:38
Aug 5 16:05:40
Aug 6 04:04:45
Aug 6 04:05:09
Aug 6 04:05:09
Aug 6 04:05:10
Aug 6 04:05:11
Aug 6 16:06:08
Aug 6 16:06:29
Aug 6 16:06:29
Aug 6 16:06:31
Aug 6 16:06:32
Aug 7 04:04:44
Aug 7 04:05:07
Aug 7 04:05:07
Aug 7 04:05:09
Aug 7 04:05:23
Jul 29 16:07:53
Jul 29 16:08:14
Jul 29 16:08:14
Jul 29 16:08:15
Jul 29 16:08:22
Aug 2 16:07:50
Aug 2 16:08:11
Aug 2 16:08:11
Aug 2 16:08:13
Aug 2 16:08:18
Aug 4 16:05:38
Aug 4 16:05:58
Aug 4 16:05:59
Aug 4 16:06:01
Aug 4 16:06:02
Aug 5 04:04:42
Aug 5 04:05:05
Aug 5 04:05:05
Aug 5 04:05:07
Aug 5 04:05:08
Jul 27 16:10:23
Jul 27 16:10:43
Jul 27 16:10:43
Jul 27 16:10:45
Jul 27 16:10:48
Jul 28 16:08:09
Jul 28 16:08:29
Jul 28 16:08:30
Jul 28 16:08:31
Jul 28 16:08:32
Jul 29 04:06:20
Jul 29 04:06:43
Jul 29 04:06:43
Jul 29 04:06:46
Jul 29 04:06:47


Thanks again,

>
>> Thanks again,
>
> You're welcome
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50325992.1060005@gmail.com">http://lists.debian.org/50325992.1060005@gmail.com
 
Old 08-20-2012, 03:38 PM
lina
 
Default Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:35 PM, Mika Suomalainen wrote:
> On 20.08.2012 18:31, lina wrote:
>> So I am under regular attacks recently, very gentle attack, only
>> tried few times each day?
>
> At least your auth.log says so and it shouldn't lie.
>
>> How do I know who has this IP address? why s/he didn't change?
>
> You probably don't. I don't understand this second question.

The second question is that for those days, the attacker should think of
renew its ip address. not from the same one.
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 503259E5.2070809@gmail.com">http://lists.debian.org/503259E5.2070809@gmail.com
 
Old 08-20-2012, 03:45 PM
Mika Suomalainen
 
Default Is it possible to hide the ip in ssh connection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 20.08.2012 18:38, lina wrote:
>>> How do I know who has this IP address? why s/he didn't change?
>>>
>>> You probably don't. I don't understand this second question.
> The second question is that for those days, the attacker should
> think of renew its ip address. not from the same one.

But we don't know is the attacker a person or a program, which is
running without knowledge of the owner of computer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMlulAAoJEE21PP6CpGcohZ0QAMcDK3UsVB R6/+gfapARZ8Ha
+L3IwGJ7AswTCK5Us8JLzRFZfjRq9xuXnOJDXnv6yJqU2yZ1iP lHUl8m/qBfQmiO
MFksArOyfqveH1lsG+nUGsJBM5dCE6iObGVRf9Z/+FnVq7ueEJMYVsCQS9Z13zR3
VD5Qzfup0cN//ebdTFdRAhOEgUZYenQkZlo7Inde+Gi91W4QXUL1xckilLd91cs 8
/+UHz/HL196kV4OTLOomGZ+lnR4evE/PTHxGn1E1zC14fVEU0lZKOz3AznF2SGTv
ilFes+OrcIt0UGXC/+JnfeOXuvVotKQ1o7DUQOUiB/1XaUP/mlN1nlWIold1hsRL
5Cl/WHvT55/DMt+Ou9Pss40iXzLLtCWdfQMxipHGtITUltfhcAOPRpDasfRjm yFi
veExhexYlQr9yByT2EnLQv26t7xeSNQvLJWQXVelz3fzEoobVr MYDYsjivOLfyZV
pFB2QZlz4Pr0bxYGVZX5fWgthAfmwkne9nRB1ATjN8WX3l2zhg U5wB8jkNRlw8GH
f7tYrwpBNLieB+bF+jrAxSxCmRgD9ill6rGNbXpSdV2hVyJ41y ze7dWWVNb2zegz
UKwQlSmrVM4OZ4y1bNeAY+Qgj8snCf5FYa5cV7Vf2Hoiki7qnZ X78YfuedWy/K3M
kdSJYAf4LgynIGBsdhNr
=1JLc
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50325BA8.9000104@users.sourceforge.net">http://lists.debian.org/50325BA8.9000104@users.sourceforge.net
 
Old 08-20-2012, 03:56 PM
lina
 
Default Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> On 20.08.2012 18:38, lina wrote:
>>>> How do I know who has this IP address? why s/he didn't change?
>>>>
>>>> You probably don't. I don't understand this second question.
>> The second question is that for those days, the attacker should
>> think of renew its ip address. not from the same one.
>
> But we don't know is the attacker a person or a program, which is
> running without knowledge of the owner of computer.
Yes, it's more like a program. but the owner in this long period has
never shutdown the computer, just a bit surprised that it keeps the same
ip address.

>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50325E3A.2010505@gmail.com">http://lists.debian.org/50325E3A.2010505@gmail.com
 
Old 08-20-2012, 04:27 PM
lina
 
Default Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:15 PM, Lars Noodén wrote:
> It looks like it is possible to use Tor as a proxy:
>
> http://www.howtoforge.com/anonymous-ssh-sessions-with-tor
>
> If this document is correct, it is very easy to set up. That would
> obfuscate the ip number you are connecting from by adding a jump in the
> middle. The target server would only see that last step.

I followed the instruction from link, but during connection it showed me:

[warn] Got SOCKS5 status response '4': host is unreachable
/bin/bash: line 0: exec: connect: not found
ssh_exchange_identification: Connection closed by remote host

kinda of tricky?
>
> Regards,
> /Lars
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5032656F.20604@gmail.com">http://lists.debian.org/5032656F.20604@gmail.com
 
Old 08-20-2012, 04:48 PM
Gaël DONVAL
 
Default Is it possible to hide the ip in ssh connection

Le lundi 20 août 2012 à 23:38 +0800, lina a écrit :
> On Monday 20,August,2012 11:35 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:31, lina wrote:
> >> So I am under regular attacks recently, very gentle attack, only
> >> tried few times each day?
Too few attempts, none succeeded. Something on your network might be
misconfigured. If you really want to be safe with ssh, be sure root
login is disable, switch to certificate based authentication and disable
password authentication.

> >> How do I know who has this IP address?
Is that on a personal network? Can you access your router logs?

> The second question is that for those days, the attacker should think of
> renew its ip address. not from the same one.
Not necessarily: my router for instance associates IP addresses with MAC
addresses in a static way.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1345481319.4593.116.camel@p76-nom-gd.cnrs-imn.fr">http://lists.debian.org/1345481319.4593.116.camel@p76-nom-gd.cnrs-imn.fr
 

Thread Tools




All times are GMT. The time now is 10:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org