Remote ssh attack: sshd tries to make udp connection to a remote host
-----BEGIN PGP SIGNED MESSAGE-----
Well, sshd does perform dns queries on connecting hosts, to try and
determine if they're legit connections. I'm not sure about port 0/udp
though. You could try turning off the 'UseDNS' function in
/etc/ssh/sshd_config, and then see if there are any more of these log
entries. I believe the daemon also connects to port 113 (forgot which
protocol) for each incoming connection.
If it happens again, you can also check current connections with
netstat(1) to see what sshd is doing.
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sat, 29 Dec 2007, firstname.lastname@example.org wrote:
Date: Sat, 29 Dec 2007 18:11:01 +0100 (CET)
Subject: [gentoo-hardened] Remote ssh attack: sshd tries to make udp
connection to a remote host
I've found a bunch of these messages in my log:
"grsec: From 126.96.36.199: (root:U:/usr/sbin/sshd) denied connect() to
188.8.131.52 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:19031]
uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4997] uid/euid:0/0
Along with these:
"Address 184.108.40.206 maps to cameo.com.tw, but this does not map back to
address - POSSIBLE BREAK-IN ATTEMPT!"
Is it a normal behavior of the sshd to make udp connections to remote
host? Especially using port 0? I have a feeling somebody could make my
sshd do bad things without grsec's RBAC system.
It annoys me. Are there anybody on the list with the same experience or
who knows more about this?
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
email@example.com mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----