FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-21-2012, 05:20 AM
lina
 
Default Is it possible to hide the ip in ssh connection

On Tuesday 21,August,2012 02:52 AM, Joe wrote:
> On Mon, 20 Aug 2012 23:56:42 +0800
> lina <lina.lastname@gmail.com> wrote:
>
>> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
>>> On 20.08.2012 18:38, lina wrote:
>>>>>> How do I know who has this IP address? why s/he didn't change?
>>>>>>
>>>>>> You probably don't. I don't understand this second question.
>>>> The second question is that for those days, the attacker should
>>>> think of renew its ip address. not from the same one.
>>>
>>> But we don't know is the attacker a person or a program, which is
>>> running without knowledge of the owner of computer.
>> Yes, it's more like a program. but the owner in this long period has
>> never shutdown the computer, just a bit surprised that it keeps the
>> same ip address.
>>
>>>
>>
>>
>
> A DHCP client will normally remember its IP address, even if the lease
> has expired, and on the next connection will request it again. If the
> server hasn't issued it to anyone else, it will normally comply with the
> request. Both server and client can be configured not to do this, but
> in a Windows network it will probably happen to avoid too much need for
> scavenging out-of-date DNS records. Assuming the link between DNS and
> DHCP has been set up properly.
>
> Or it may be a configured reservation in the DHCP server i.e. some form
> of server itself. Or the client can be explicitly configured to request
> that address, when it is available, but there's very little reason to
> do that when a reservation is a guaranteed method.
>
> Even if the attacker in this case is a human, it may be difficult or
> impossible to override the network policies. Configuration of
> networking is limited to people with admin credentials, unprivileged
> users cannot even issue a DHCP renewal request other than by rebooting
> the machine.
>
> The quick answer here is to try: host <IP address>, which will turn up
> the hostname of the offending machine if the local DNS server is
> properly set up. Or to at least gain the MAC address of the machine, try
> inserting an iptables rule on your machine to log incoming ssh
> connections.
$ host 172.21.48.161
Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN)

Nmap scan report for 172.21.48.161
Host is up (0.0021s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
515/tcp open printer
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49154/tcp open unknown

Thanks, I have drop it in the iptables.

>
> e.g in your INPUT chain, just before the ssh -j ACCEPT command:
>
> iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> --log-prefix "SSH IN:"
>
> which will normally log to syslog and also /var/log/debug. I'd have
> thought the network admin would keep a list of MAC addresses on the
> network. If fact, the easiest answer of all is for the admin to look at
> the DHCP and DNS server records.
>
> Or there are programs which will scan the network for hostnames, MAC
> addresses and open ports, but I couldn't possibly suggest the use of
> such software, which may well be a hanging offence in some places. On
> the other hand, they're harbouring an ssh worm...
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50331A9A.2080808@gmail.com">http://lists.debian.org/50331A9A.2080808@gmail.com
 
Old 08-21-2012, 05:39 AM
lina
 
Default Is it possible to hide the ip in ssh connection

On Tuesday 21,August,2012 03:12 AM, unruh wrote:
> Everyone suffers these attacks. They are simply part of a toolset which
> crackers use to try to gain entry into Linux machines. As long as you
> have good passwords do not worry. You will also suffer attacks on
> various Windows ports.
>
> If you want you can use /etc/hosts.allow to weed out outside machines
> that try these attacks, eitehr manually or with programs.
>
> You cannot hide your IP or noone in the world could ever ssh into your
> system, making ssh useless for your users.
> Also your attacks appear to be local attacks--
> Ie from someone on you own network. They know who you are.

That's why I am a bit scared. And sometimes I received "unknown" calls,
when I answered, no sounds. a bit scary.

I disliked so much that the one who is in charge of the place asked our
phone number and put all our contact info. on table in front of the door
window. The good excuses was that if there is a fire, someone could find
our contact information easily, damn, if there is a fire, this paper
will burn out before s/he can read.
>
>
>
> In linux.debian.user, you wrote:
>> On Monday 20,August,2012 11:21 PM, Darac Marjal wrote:
>>> On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote:
>>>> On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
>>>>> On 20.08.2012 17:02, lina wrote:
>>>>>> On Monday 20,August,2012 09:59 PM, lina wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I ssh to a server which has 400+ users, active ones around
>>>>>>>> 100.
>>>>>>>>
>>>>>>>> Frankly speaking, I would feel comfortable to hide my IP if
>>>>>>>> possible,
>>>>>>>>
>>>>>>>> any suggestions (I checked the spoof, but seems not positive),
>>>>>>>>
>>>>>>>> Thanks with best regards,
>>>>>>>>
>>>>>>>>
>>>>>> Another question, how do I know whether there are some people are
>>>>>> attempting to invade my laptop, my username, ip are all exposed
>>>>>> there.
>>>>>
>>>>> If you have SSHd and that is what you are worried about, grep ssh from
>>>>> /var/log/auth.log .
>>>>
>>>> BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
>>>> one.
>>>
>>> You need to ask, not "what is", but "who is". More specifically:
>>>
>>> $ whois 172.21.48.161
>>> [...]
>>> NetRange: 172.16.0.0 - 172.31.255.255
>>> CIDR: 172.16.0.0/12
>>> OriginAS:
>>> NetName: PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
>>> NetHandle: NET-172-16-0-0-1
>>> Parent: NET-172-0-0-0-0
>>> NetType: IANA Special Use
>>> [...]
>>>
>>> In other words, it's someone else on your network.
>>
>> So I am under regular attacks recently, very gentle attack, only tried
>> few times each day?
>>
>> How do I know who has this IP address? why s/he didn't change?
>
> It is someone on your own network. If yo uare at a University it is
> someone there. Find out from the network people who has that IP. But it
> is highly probably that they ahve no idea that they are launching those
> attacks because their windows machine has had attack software installed
> on it after their systems were broken.
Those desktop here only administrator and staff has the privilege to
install the software on it.
>
>
>>
>> unbelievable, hope I am wrong here.
>
> About what? You are an administrator and just discovering that these
> kinds of attack take place regularly?

I felt I made some mistakes before, like put the public keys from those
servers into my own laptop, just for the convinence of connection.
I am on my way correcting my mistakes.
>
>
>>
>> Best regards,

Best regards,
>>>
>>> [cut]
>>>>
>>>> Thanks again,
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>> I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
>>>>>
>>>>> And you might also want to install something like SSHGuard (package
>>>>> sshguard) to protect your SSHd and other services, which it protects
>>>>> from attackers. http://www.sshguard.net/
>>>>>
>>>>>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50331F1E.1090103@gmail.com">http://lists.debian.org/50331F1E.1090103@gmail.com
 
Old 08-21-2012, 06:42 AM
Lars Noodén
 
Default Is it possible to hide the ip in ssh connection

On 8/21/12 8:20 AM, lina wrote:
> On Tuesday 21,August,2012 02:52 AM, Joe wrote:
>> On Mon, 20 Aug 2012 23:56:42 +0800
>> lina <lina.lastname@gmail.com> wrote:
>>
>>> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
>>>> On 20.08.2012 18:38, lina wrote:
>>>>>>> How do I know who has this IP address? why s/he didn't change?
>>>>>>>
>>>>>>> You probably don't. I don't understand this second question.
>>>>> The second question is that for those days, the attacker should
>>>>> think of renew its ip address. not from the same one.
>>>>
>>>> But we don't know is the attacker a person or a program, which is
>>>> running without knowledge of the owner of computer.
>>> Yes, it's more like a program. but the owner in this long period has
>>> never shutdown the computer, just a bit surprised that it keeps the
>>> same ip address.
>>>
>>>>
>>>
>>>
>>
>> A DHCP client will normally remember its IP address, even if the lease
>> has expired, and on the next connection will request it again. If the
>> server hasn't issued it to anyone else, it will normally comply with the
>> request. Both server and client can be configured not to do this, but
>> in a Windows network it will probably happen to avoid too much need for
>> scavenging out-of-date DNS records. Assuming the link between DNS and
>> DHCP has been set up properly.
>>
>> Or it may be a configured reservation in the DHCP server i.e. some form
>> of server itself. Or the client can be explicitly configured to request
>> that address, when it is available, but there's very little reason to
>> do that when a reservation is a guaranteed method.
>>
>> Even if the attacker in this case is a human, it may be difficult or
>> impossible to override the network policies. Configuration of
>> networking is limited to people with admin credentials, unprivileged
>> users cannot even issue a DHCP renewal request other than by rebooting
>> the machine.
>>
>> The quick answer here is to try: host <IP address>, which will turn up
>> the hostname of the offending machine if the local DNS server is
>> properly set up. Or to at least gain the MAC address of the machine, try
>> inserting an iptables rule on your machine to log incoming ssh
>> connections.
> $ host 172.21.48.161
> Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN)
>
> Nmap scan report for 172.21.48.161
> Host is up (0.0021s latency).
> Not shown: 991 filtered ports
> PORT STATE SERVICE
> 80/tcp open http
> 135/tcp open msrpc
> 139/tcp open netbios-ssn
> 443/tcp open https
> 445/tcp open microsoft-ds
> 515/tcp open printer
> 3389/tcp open ms-wbt-server
> 5357/tcp open wsdapi
> 49154/tcp open unknown
>
> Thanks, I have drop it in the iptables.
[snip]

In general RETURN is more useful than DROP when you have the choice.

http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

But since it is a local machine causing the problem, it should be
possible to go through the network administrator and contact the owner
of the offending machine directly.

Regards,
/Lars


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50332DD8.5040809@gmail.com">http://lists.debian.org/50332DD8.5040809@gmail.com
 
Old 08-21-2012, 11:48 AM
Eike Lantzsch
 
Default Is it possible to hide the ip in ssh connection

On Monday 20 August 2012 09:59:47 lina wrote:
> Hi,
>
> I ssh to a server which has 400+ users, active ones around 100.
>
> Frankly speaking, I would feel comfortable to hide my IP if possible,
>
> any suggestions (I checked the spoof, but seems not positive),
>
> Thanks with best regards,

Hi lina!

I followed the thread and I wonder why nobody recommended to change sshd to
listen on any other port than 22, e.g. 2424. That will calm down most attacks
/ probing of ssh.
Also I wondered why nobody recommended to install DenyHosts?
I installed it on my OpenBSD gateway and it is quite funny to see which
usernames and passwords are tried to get into the box.
That was with sshd still listening on port 22. Now that it is on another port
there were no probes whatever for about a year. Stupid hacking!

Of course you need to inform your ssh users of the change. If the same
machines on your own network still attack ssh than it should be easy to figure
out which machine is doing that by looking at the MAC-address.

Kind regards,
Eike


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208210748.04354.zp6cge@gmx.net">http://lists.debian.org/201208210748.04354.zp6cge@gmx.net
 
Old 08-21-2012, 12:09 PM
lina
 
Default Is it possible to hide the ip in ssh connection

On Tuesday 21,August,2012 07:48 PM, Eike Lantzsch wrote:
> On Monday 20 August 2012 09:59:47 lina wrote:
>> Hi,
>>
>> I ssh to a server which has 400+ users, active ones around 100.
>>
>> Frankly speaking, I would feel comfortable to hide my IP if possible,
>>
>> any suggestions (I checked the spoof, but seems not positive),
>>
>> Thanks with best regards,
>
> Hi lina!
>
> I followed the thread and I wonder why nobody recommended to change sshd to
> listen on any other port than 22, e.g. 2424. That will calm down most attacks
> / probing of ssh.

That's very nice of you, I guess default many people had already changed
that port, and they thought I would have realized that earlier it's one
way of facing it.

Well, I just made the change to the sshd_config to some other port and
also changed the iptables.
> Also I wondered why nobody recommended to install DenyHosts?
will install it.
> I installed it on my OpenBSD gateway and it is quite funny to see which
> usernames and passwords are tried to get into the box.
> That was with sshd still listening on port 22. Now that it is on another port
> there were no probes whatever for about a year. Stupid hacking!
>
> Of course you need to inform your ssh users of the change. If the same
> machines on your own network still attack ssh than it should be easy to figure
> out which machine is doing that by looking at the MAC-address.
quite interesting, how can I know its MAC address.

Today I sent the email to administrator, here quote what he answered
me:"Do you wish to change password just to be sure? Once you change, you
let me know, I'll rsync all the password file. It could be a robot."
"
So I think it's better not bother him much. he didn't talk the questions
I asked and he referred that I should change password of those servers.

Best regards, and also thanks all for your time and valuable suggestions,
>
> Kind regards,
> Eike
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50337A72.4070108@gmail.com">http://lists.debian.org/50337A72.4070108@gmail.com
 
Old 08-21-2012, 12:28 PM
Eike Lantzsch
 
Default Is it possible to hide the ip in ssh connection

On Tuesday 21 August 2012 08:09:22 lina wrote:
> On Tuesday 21,August,2012 07:48 PM, Eike Lantzsch wrote:
> > On Monday 20 August 2012 09:59:47 lina wrote:
> >> Hi,
> >>
> >> I ssh to a server which has 400+ users, active ones around 100.
> >>
> >> Frankly speaking, I would feel comfortable to hide my IP if possible,
> >>
> >> any suggestions (I checked the spoof, but seems not positive),
> >>
> >> Thanks with best regards,
> >
> > Hi lina!
> >
> > I followed the thread and I wonder why nobody recommended to change sshd
> > to listen on any other port than 22, e.g. 2424. That will calm down most
> > attacks / probing of ssh.
>
> That's very nice of you, I guess default many people had already changed
> that port, and they thought I would have realized that earlier it's one
> way of facing it.
>
> Well, I just made the change to the sshd_config to some other port and
> also changed the iptables.
>
> > Also I wondered why nobody recommended to install DenyHosts?
>
> will install it.
>
> > I installed it on my OpenBSD gateway and it is quite funny to see which
> > usernames and passwords are tried to get into the box.
> > That was with sshd still listening on port 22. Now that it is on another
> > port there were no probes whatever for about a year. Stupid hacking!
> >
> > Of course you need to inform your ssh users of the change. If the same
> > machines on your own network still attack ssh than it should be easy to
> > figure out which machine is doing that by looking at the MAC-address.
>
> quite interesting, how can I know its MAC address.
arp -a

and do have a look at http://denyhosts.sourceforge.net/

>
> Today I sent the email to administrator, here quote what he answered
> me:"Do you wish to change password just to be sure? Once you change, you
> let me know, I'll rsync all the password file. It could be a robot."
> "
> So I think it's better not bother him much. he didn't talk the questions
> I asked and he referred that I should change password of those servers.
>
> Best regards, and also thanks all for your time and valuable suggestions,
>
Again kind regards,
Eike

--
Eike Lantzsch ZP6CGE
Casilla de Correo 1519
1209 Asuncion / Paraguay


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208210828.33545.zp6cge@gmx.net">http://lists.debian.org/201208210828.33545.zp6cge@gmx.net
 
Old 08-22-2012, 01:54 AM
Chris Bannister
 
Default Is it possible to hide the ip in ssh connection

On Tue, Aug 21, 2012 at 01:39:42PM +0800, lina wrote:
> I felt I made some mistakes before, like put the public keys from those
> servers into my own laptop, just for the convinence of connection.
> I am on my way correcting my mistakes.

Public keys are meant to be public, its the secret/private key(s) you
should be protecting.

--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120822015440.GA15009@tal
 

Thread Tools




All times are GMT. The time now is 11:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org