FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 12-29-2007, 04:11 PM
 
Default Remote ssh attack: sshd tries to make udp connection to a remote host

I've found a bunch of these messages in my log:
"grsec: From 219.87.17.209: (root:U:/usr/sbin/sshd) denied connect() to
219.87.17.3 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:19031]
uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4997] uid/euid:0/0
gid/egid:0/0"
Along with these:
"Address 219.87.17.209 maps to cameo.com.tw, but this does not map back to
the
address - POSSIBLE BREAK-IN ATTEMPT!"

Is it a normal behavior of the sshd to make udp connections to remote
host? Especially using port 0? I have a feeling somebody could make my
sshd do bad things without grsec's RBAC system.

It annoys me. Are there anybody on the list with the same experience or
who knows more about this?

Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

--
gentoo-hardened@gentoo.org mailing list
 
Old 12-29-2007, 06:08 PM
brant williams
 
Default Remote ssh attack: sshd tries to make udp connection to a remote host

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Well, sshd does perform dns queries on connecting hosts, to try and
determine if they're legit connections. I'm not sure about port 0/udp
though. You could try turning off the 'UseDNS' function in
/etc/ssh/sshd_config, and then see if there are any more of these log
entries. I believe the daemon also connects to port 113 (forgot which
protocol) for each incoming connection.


If it happens again, you can also check current connections with
netstat(1) to see what sshd is doing.

brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Sat, 29 Dec 2007, atoth@atoth.sote.hu wrote:


Date: Sat, 29 Dec 2007 18:11:01 +0100 (CET)
From: atoth@atoth.sote.hu
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] Remote ssh attack: sshd tries to make udp
connection to a remote host

I've found a bunch of these messages in my log:
"grsec: From 219.87.17.209: (root:U:/usr/sbin/sshd) denied connect() to
219.87.17.3 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:19031]
uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4997] uid/euid:0/0
gid/egid:0/0"
Along with these:
"Address 219.87.17.209 maps to cameo.com.tw, but this does not map back to
the
address - POSSIBLE BREAK-IN ATTEMPT!"

Is it a normal behavior of the sshd to make udp connections to remote
host? Especially using port 0? I have a feeling somebody could make my
sshd do bad things without grsec's RBAC system.

It annoys me. Are there anybody on the list with the same experience or
who knows more about this?

Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

--
gentoo-hardened@gentoo.org mailing list



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHdpsddCBnhE3rYAIRCJdPAKCIa/qMeV+owd7ZpzyBMkOWqvshFACffiTv
qZ3/1J+3DFpn8blxClA/120=
=iG4i
-----END PGP SIGNATURE-----
 

Thread Tools




All times are GMT. The time now is 09:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org