sshd messages in log, should I be worried?
I have suddenly started getting lots of messages like the following in my /var/log/messages:- Aug 5 06:59:01 home sshd[7886]: Connection from 193.128.168.195 port 63433 Aug 5 07:14:02 home sshd[7890]: Connection from 193.128.168.195 port 63995 Aug 5 07:29:01 home sshd[7893]: Connection from 193.128.168.195 port 64515 Aug 5 07:44:01 home sshd[2451]: Generating new 768 bit RSA key. Aug 5 07:44:01 home sshd[2451]: RSA key generation complete. Aug 5 07:44:02 home sshd[7897]: Connection from 193.128.168.195 port 65110 I can't see any other activity as a result, no attempted logins or odd processes running. Should I be worried? The IP address 193.128.168.195 seems to be unidentified. I get the occasional login attempt from other places but these are fairly obvious and my passwords are close to unguessable so they don't worry me too much. -- Chris Green
On 8/6/07, Chris G <cl@isbd.net> wrote:
I have suddenly started getting lots of messages like the following in my /var/log/messages:-
Aug 5 06:59:01 home sshd[7886]: Connection from 193.128.168.195 port 63433 Aug 5 07:14:02 home sshd[7890]: Connection from 193.128.168.195 port 63995 Aug 5 07:29:01 home sshd[7893]: Connection from 193.128.168.195 port 64515 Aug 5 07:44:01 home sshd[2451]: Generating new 768 bit RSA key. Aug 5 07:44:01 home sshd[2451]: RSA key generation complete. Aug 5 07:44:02 home sshd[7897]: Connection from 193.128.168.195 port 65110
I can't see any other activity as a result, no attempted logins or odd processes running. Should I be worried? The IP address 193.128.168.195 seems to be unidentified.
whois 193.128.168.195 suggests "AP Solve Limited".
I get the occasional login attempt from other places but these are fairly obvious and my passwords are close to unguessable so they don't worry me too much.
For another layer of security I use sshblack: http://www.pettingers.org/code/sshblack.html I installed it after getting sick of hearing the harddisk recording every login attempt. After 'n' guesses the IP address is blocked (with iptables) for a few days. There is a white list too, just incase you want regular remote access from an IP address someone else could cause to block. Regards, Tim.
On Mon, Aug 06, 2007 at 05:08:17PM +0100, Tim Green wrote:
On 8/6/07, Chris G <cl@isbd.net> wrote:
I have suddenly started getting lots of messages like the following in my /var/log/messages:-
Aug 5 06:59:01 home sshd[7886]: Connection from 193.128.168.195 port 63433 Aug 5 07:14:02 home sshd[7890]: Connection from 193.128.168.195 port 63995 Aug 5 07:29:01 home sshd[7893]: Connection from 193.128.168.195 port 64515 Aug 5 07:44:01 home sshd[2451]: Generating new 768 bit RSA key. Aug 5 07:44:01 home sshd[2451]: RSA key generation complete. Aug 5 07:44:02 home sshd[7897]: Connection from 193.128.168.195 port 65110
I can't see any other activity as a result, no attempted logins or odd processes running. Should I be worried? The IP address 193.128.168.195 seems to be unidentified.
whois 193.128.168.195 suggests "AP Solve Limited".
Ahhhhh!! :-) That's where I used to work and I had a cron job there that attempts to set up an outgoing ssh pipe to my home system, this allowed me to log in to work from my home machine even though the firewall didn't allow incoming ssh connections. The sysadmin knew all about it, all quite above board. Obviously the cron job there is still running!
I get the occasional login attempt from other places but these are fairly obvious and my passwords are close to unguessable so they don't worry me too much.
For another layer of security I use sshblack: http://www.pettingers.org/code/sshblack.html
I installed it after getting sick of hearing the harddisk recording every login attempt. After 'n' guesses the IP address is blocked (with iptables) for a few days. There is a white list too, just incase you want regular remote access from an IP address someone else could cause to block.
Thanks! -- Chris Green
"Tim Green" <timothy.j.green@gmail.com> wrote:
I installed it after getting sick of hearing the harddisk recording every login attempt. After 'n' guesses the IP address is blocked (with iptables) for a few days. There is a white list too, just incase you want regular remote access from an IP address someone else could cause to block.
If you don't want to install more software, you can do something similar but cruder with iptables's rate-limiters. That will limit all connection, not just failed logins, so you may need to be more liberal with the whitelists if you have anyone doing lots of rsync, scp or cvs over ssh connections in a short time period. Hope that helps, -- MJ Ray - see/vidu http://mjr.towers.org.uk/email.html Experienced webmaster-developers for hire http://www.ttllp.co.uk/ Also: statistician, sysadmin, online shop builder, workers co-op. Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/
On Mon, 2007-08-06 at 17:08 +0100, Tim Green wrote:
For another layer of security I use sshblack: http://www.pettingers.org/code/sshblack.html
I installed it after getting sick of hearing the harddisk recording every login attempt. After 'n' guesses the IP address is blocked (with iptables) for a few days. There is a white list too, just incase you want regular remote access from an IP address someone else could cause to block.
I have had a nasty script running for many years that does something similar. Mine is far cruder than this though (distinct absence of a whitelist for one) Even though root logins are banned by sshd and I have hard to guess passwords there is a little bit of satisfaction seeing a iptables rule set grow knowing that those hosts only had a handful of attempts to guess a correct password. And it keeps the logs cleaner.
Regards, Tim.
_______________________________________________ main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
I know a lot of you will scream at me for this one, but you might be using windows at work with cygwin and AVG. Well, it seems that the recent patch (for today) contains a virus definition which is triggered by various libraries Cygwin's encoding area, which are almost certainly (99% certain) that they are false-positives (especially in Perl and Pythons libraries area) Has anyone else got that issue? JT
On 8/10/07, James Taylor <jt@imen.org.uk> wrote:
I know a lot of you will scream at me for this one, but you might be using windows at work with cygwin and AVG. Has anyone else got that issue?
AVG blue screened on me (XP) yesterday, which was annoying. No cygwin. Tim.
On Fri, 2007-08-10 at 14:17 +0100, Tim Green wrote:
AVG blue screened on me (XP) yesterday, which was annoying. No cygwin.
Generally when a userspace program causes a kernel to panic (or BSOD) I tend to blame the operating system. :) How do you know that AVG actually caused the problem and was simply not just one of the processes running at the time ? Or did you run the dump file through dumpchk and find something specifically pointing to AVG ?
On 8/10/07, Wayne Stallwood <ALUGlist@digimatic.co.uk> wrote:
On Fri, 2007-08-10 at 14:17 +0100, Tim Green wrote:
AVG blue screened on me (XP) yesterday, which was annoying. No cygwin.
Generally when a userspace program causes a kernel to panic (or BSOD) I tend to blame the operating system. :)
How do you know that AVG actually caused the problem and was simply not just one of the processes running at the time ? Or did you run the dump file through dumpchk and find something specifically pointing to AVG ?
The blue screen itself said "avg7core.sys" though the dump file afterwards pointed to winword.exe, which was in the middle of quitting and the kernel complained about memory corruption. As a Windows driver writer myself, I know where the dump files end up if you click "Send to Microsoft", so hopefully Grisoft and Microsoft will take note! Tim.
The blue screen itself said "avg7core.sys" though the dump file afterwards pointed to winword.exe, which was in the middle of quitting and the kernel complained about memory corruption.
As a Windows driver writer myself, I know where the dump files end up if you click "Send to Microsoft", so hopefully Grisoft and Microsoft will take note!
I have had many-a-problem with word and its virus scanning antics. I have not yet managed to work out where to disable its automatic attempts to scan files before opening them - personally I make sure that no viri can come into the system, so any document I have shouldn't be infected, plus automatic daily scans would pick up anything that did manage to make it in. Seeing as in a week I probably only open/edit five or six different documents, its very frustraiting to sometimes wait five or more minutes whilst it performs this redundant check. JT
On Sat, 2007-08-11 at 00:13 +0100, JT wrote:
I have had many-a-problem with word and its virus scanning antics. I have not yet managed to work out where to disable its automatic attempts to scan files before opening them - personally I make sure that no viri can come into the system, so any document I have shouldn't be infected, plus automatic daily scans would pick up anything that did manage to make it in.
Seeing as in a week I probably only open/edit five or six different documents, its very frustraiting to sometimes wait five or more minutes whilst it performs this redundant check.
Actually this has caught me out before, when it says that it is not only doing the check, There is a known bug in Word (that can only be fixed properly with a Per Incident Support Patch or by upgrading to 2007 last time I looked) where if a document is created with a template from a UNC path to a network resource that is no longer available then there will sometimes be a wait whilst that document opens (with the virus scanning message still at the bottom). I had the problem with a client that would take his laptop home and not always connect to the VPN, documents that opened instantly when he was in the office would then take up to several minutes unless he connected to the VPN first. In the end I cheated and made the network templates folder available offline using the offline files synchronisation tools. I think this is specific to when you have accessed the template file via a UNC path, if it is on a mapped drive that is no longer mapped etc then it is fine..but any unavailable UNC path lookup on windows takes ages as it cycles through the various name lookup mechanisms (presumably just to check to see if the template has been updated or something).
On Fri, 2007-08-10 at 14:08 +0100, James Taylor wrote:
Well, it seems that the recent patch (for today) contains a virus definition which is triggered by various libraries Cygwin's encoding area, which are almost certainly (99% certain) that they are false-positives (especially in Perl and Pythons libraries area)
I have Cygwin/X and a few other bits (mainly rsync and ssh stuff) and have not had this problem with AVG Pro and the latest pattern files. But I probably don't have the libraries you mention.
participants (7)
-
Chris G -
James Taylor -
JT
-
MJ Ray -
Ricky Bruce -
Tim Green -
Wayne Stallwood