FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-20-2012, 04:57 PM
Lisi
 
Default Is it possible to hide the ip in ssh connection

On Monday 20 August 2012 16:56:42 lina wrote:
> just a bit surprised that it keeps the same
> ip address.

Why?

Lisi


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208201757.27158.lisi.reisz@gmail.com">http://lists.debian.org/201208201757.27158.lisi.reisz@gmail.com
 
Old 08-20-2012, 05:10 PM
Ralf Mardorf
 
Default Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 23:56 +0800, lina wrote:
> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:38, lina wrote:
> >>>> How do I know who has this IP address? why s/he didn't change?
> >>>>
> >>>> You probably don't. I don't understand this second question.
> >> The second question is that for those days, the attacker should
> >> think of renew its ip address. not from the same one.
> >
> > But we don't know is the attacker a person or a program, which is
> > running without knowledge of the owner of computer.
> Yes, it's more like a program. but the owner in this long period has
> never shutdown the computer, just a bit surprised that it keeps the same
> ip address.

I didn't follow the thread. I recommend to use some network protocol
analyzer, OTOH such software can become an additional security risk,
e.g. http://wiki.wireshark.org/Security



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345482629.1285.56.camel@localhost.localdomain
 
Old 08-20-2012, 06:34 PM
Ralf Mardorf
 
Default Is it possible to hide the ip in ssh connection

Now I read some more mails of this thread.

It's not surprising that everybody connected to the Internet is
attacked. "authentication failure" doesn't lead to a serious issue, but
vice versa it says the attacks were useless. And I'm sure, they will be
useless in the future too.

Lina, perhaps you are "oversensitive". Understandable, but less good for
your blood pressure .

Sometimes "less is more".

I know at least one person who forced "auto-logout" for root terminal
sessions, if root didn't use the terminal for a minute .

Such thoughts aren't "paranoid", but they IMHO are "oversensitive".

2 Cents,
Ralf


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345487641.1285.71.camel@localhost.localdomain
 
Old 08-20-2012, 06:52 PM
Joe
 
Default Is it possible to hide the ip in ssh connection

On Mon, 20 Aug 2012 23:56:42 +0800
lina <lina.lastname@gmail.com> wrote:

> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:38, lina wrote:
> >>>> How do I know who has this IP address? why s/he didn't change?
> >>>>
> >>>> You probably don't. I don't understand this second question.
> >> The second question is that for those days, the attacker should
> >> think of renew its ip address. not from the same one.
> >
> > But we don't know is the attacker a person or a program, which is
> > running without knowledge of the owner of computer.
> Yes, it's more like a program. but the owner in this long period has
> never shutdown the computer, just a bit surprised that it keeps the
> same ip address.
>
> >
>
>

A DHCP client will normally remember its IP address, even if the lease
has expired, and on the next connection will request it again. If the
server hasn't issued it to anyone else, it will normally comply with the
request. Both server and client can be configured not to do this, but
in a Windows network it will probably happen to avoid too much need for
scavenging out-of-date DNS records. Assuming the link between DNS and
DHCP has been set up properly.

Or it may be a configured reservation in the DHCP server i.e. some form
of server itself. Or the client can be explicitly configured to request
that address, when it is available, but there's very little reason to
do that when a reservation is a guaranteed method.

Even if the attacker in this case is a human, it may be difficult or
impossible to override the network policies. Configuration of
networking is limited to people with admin credentials, unprivileged
users cannot even issue a DHCP renewal request other than by rebooting
the machine.

The quick answer here is to try: host <IP address>, which will turn up
the hostname of the offending machine if the local DNS server is
properly set up. Or to at least gain the MAC address of the machine, try
inserting an iptables rule on your machine to log incoming ssh
connections.

e.g in your INPUT chain, just before the ssh -j ACCEPT command:

iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
--log-prefix "SSH IN:"

which will normally log to syslog and also /var/log/debug. I'd have
thought the network admin would keep a list of MAC addresses on the
network. If fact, the easiest answer of all is for the admin to look at
the DHCP and DNS server records.

Or there are programs which will scan the network for hostnames, MAC
addresses and open ports, but I couldn't possibly suggest the use of
such software, which may well be a hanging offence in some places. On
the other hand, they're harbouring an ssh worm...

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120820195214.3d2db63e@jretrading.com">http://lists.debian.org/20120820195214.3d2db63e@jretrading.com
 
Old 08-20-2012, 07:08 PM
Lars Noodén
 
Default Is it possible to hide the ip in ssh connection

On 8/20/12 7:27 PM, lina wrote:
> On Monday 20,August,2012 11:15 PM, Lars Noodén wrote:
>> It looks like it is possible to use Tor as a proxy:
>>
>> http://www.howtoforge.com/anonymous-ssh-sessions-with-tor
>>
>> If this document is correct, it is very easy to set up. That would
>> obfuscate the ip number you are connecting from by adding a jump in the
>> middle. The target server would only see that last step.
>
> I followed the instruction from link, but during connection it showed me:
>
> [warn] Got SOCKS5 status response '4': host is unreachable
> /bin/bash: line 0: exec: connect: not found
> ssh_exchange_identification: Connection closed by remote host
[snip]

The package connect-proxy contains the utility connect. That has to be
installed. You might also consider using Vidalia to manage Tor.

Regards,
/Lars


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50328B41.9010008@gmail.com">http://lists.debian.org/50328B41.9010008@gmail.com
 
Old 08-20-2012, 07:17 PM
John
 
Default Is it possible to hide the ip in ssh connection

On 20/08/12, Joe (joe@jretrading.com) wrote:
> On Mon, 20 Aug 2012 23:56:42 +0800
> lina <lina.lastname@gmail.com> wrote:
> > On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> ...
> e.g in your INPUT chain, just before the ssh -j ACCEPT command:
>
> iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> --log-prefix "SSH IN:"

Or just add the intruder's address in place of xxx.etc in
/etc/init.d/iptables.rules:

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

Works only for the one, of course.

--
JohnRChamplin@wowway.com
================================================== ==
GPG key 1024D/99421A63 2005-01-05
EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63
gpg --keyserver subkeys.pgp.net --recv-keys 99421A63
 
Old 08-20-2012, 07:18 PM
Ralf Mardorf
 
Default Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 22:08 +0300, Lars Noodén wrote:
> On 8/20/12 7:27 PM, lina wrote:
> > On Monday 20,August,2012 11:15 PM, Lars Noodén wrote:
> >> It looks like it is possible to use Tor as a proxy:
> >>
> >> http://www.howtoforge.com/anonymous-ssh-sessions-with-tor
> >>
> >> If this document is correct, it is very easy to set up. That would
> >> obfuscate the ip number you are connecting from by adding a jump in the
> >> middle. The target server would only see that last step.
> >
> > I followed the instruction from link, but during connection it showed me:
> >
> > [warn] Got SOCKS5 status response '4': host is unreachable
> > /bin/bash: line 0: exec: connect: not found
> > ssh_exchange_identification: Connection closed by remote host
> [snip]
>
> The package connect-proxy contains the utility connect. That has to be
> installed. You might also consider using Vidalia to manage Tor.
>
> Regards,
> /Lars

I thought using tor was a joke or a hint, that too much security at
some point really is too much. I don't have much knowledge about the
Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
just for surfing the web. It's not usable for serious work.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345490303.1285.78.camel@localhost.localdomain
 
Old 08-20-2012, 07:22 PM
Lars Noodén
 
Default Is it possible to hide the ip in ssh connection

On 8/20/12 10:18 PM, Ralf Mardorf wrote:> On Mon, 2012-08-20 at 22:08
[snip]
> I thought using tor was a joke or a hint, that too much security at
> some point really is too much. I don't have much knowledge about the
> Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
> Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
> just for surfing the web. It's not usable for serious work.
>
Tor is intended for privacy, not security, and fulfills that reasonably
well when used for web browsing. I'm not sure though of a use-case for
combining it with SSH beyond the obvious 'because I can'

Regards,
/Lars


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50328E89.7040004@gmail.com">http://lists.debian.org/50328E89.7040004@gmail.com
 
Old 08-20-2012, 07:45 PM
Ralf Mardorf
 
Default Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 22:22 +0300, Lars Noodén wrote:
> On 8/20/12 10:18 PM, Ralf Mardorf wrote:> On Mon, 2012-08-20 at 22:08
> [snip]
> > I thought using tor was a joke or a hint, that too much security at
> > some point really is too much. I don't have much knowledge about the
> > Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
> > Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
> > just for surfing the web. It's not usable for serious work.
> >
> Tor is intended for privacy, not security, and fulfills that reasonably
> well when used for web browsing. I'm not sure though of a use-case for
> combining it with SSH beyond the obvious 'because I can'

I experienced tor as to slow, just for using it with a browser, a long
time ago. It might be faster today. Off-list, somebody with perhaps some
knowledge, mentioned "to slow" too, regarding to the usage that is
wanted in this case.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345491940.1285.88.camel@localhost.localdomain
 
Old 08-20-2012, 07:58 PM
Ralf Mardorf
 
Default Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 21:45 +0200, Ralf Mardorf wrote:
> On Mon, 2012-08-20 at 22:22 +0300, Lars Noodén wrote:
> > On 8/20/12 10:18 PM, Ralf Mardorf wrote:> On Mon, 2012-08-20 at 22:08
> > [snip]
> > > I thought using tor was a joke or a hint, that too much security at
> > > some point really is too much. I don't have much knowledge about the
> > > Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
> > > Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
> > > just for surfing the web. It's not usable for serious work.
> > >
> > Tor is intended for privacy, not security, and fulfills that reasonably
> > well when used for web browsing. I'm not sure though of a use-case for
> > combining it with SSH beyond the obvious 'because I can'
>
> I experienced tor as to slow, just for using it with a browser, a long
> time ago. It might be faster today. Off-list, somebody with perhaps some
> knowledge, mentioned "to slow" too, regarding to the usage that is
> wanted in this case.

PS:

Perhaps an expert is that kind, to give a serious answer, to avoid that
Lina set up something useless or to confirm, that in this case, it is
useful.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345492700.1285.91.camel@localhost.localdomain
 

Thread Tools




All times are GMT. The time now is 05:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org