[eggman]

Thanks to LittleSnitch, I noticed some uncharacteristic traffic on sshd from an unknown IP address which was being very, very persistent.

Looking in my appfirewall logs, I'm finding many, many dozens of messages like this:

Dec 28 10:29:23 [my computer name] Firewall[59]: Allow sshd-keygen-wrapper connecting from 64.122.166.7:45287 uid = 0 proto=6

The port number following the IP is always different, but otherwise the message repeats every 4 or 5 seconds for over an hour (which is when I sat down to work, noticed this, and blocked their IP address).

I'm assuming that these many, many redundant attacks represent attempts... but failures... to gain access to my system - but I'm more than a bit wary about this. Looking over my logs from previous days, I'm seeing other such attempts coming from other IP addresses. Frankly, I resent my bandwidth being utilized by these clowns.

So, what do you think: how concerned should I be? I have changed my system admin password, just to be safe.

I've got the SSH port open on my router so I can shell in remotely myself, which I sometimes have occasion to do.

[Chuckit]

All the different IP addresses makes it sound like it's probably just zombie computers feeling blindly for an easy mark rather than some person actively trying to hack you.

[ghporter]

The IP crosses to "integraonline.com", an ISP for the Western U.S. You might contact them and ask what is going on.

[besson3c]

You might want to setup your firewall to only allow connections from your remote IP, or look into port knocking. This way, the connection refusals will be handled at the kernel level rather than the network stack level.

[Cadaver]

The open SSH port is going to act as a magnet to anyone (or anything) looking to gain access - as soon as a useful open port is discovered by port scanners trying out random IP addresses, hackers and zombie PCs will continue to try to access it.

[~bash $]

If you suspect that this is over ssh (port 22 by default), then you need to either shut down sshd or enable TCP wrappers, which are basically two files in /etc/ that will deny access outside a specified range that can be very specific.

The two file are called hosts.allow and hosts.deny. There's a nice doc on this at:

HMUG: Unix How Tos

LS caught remote attempt at at brute force break-in to a non-admin accn of mine once, it was apparently a remote IRC server. Anyhow, good luck.

PS. It is my opinion that EVERYONE who enables sshd should be doing this already; ssh attacks are among the most persistent in the Unix/Unix-like world.

[eggman]

Originally Posted by ~bash $ 

If you suspect that this is over ssh (port 22 by default), then you need to either shut down sshd or enable TCP wrappers, which are basically two files in /etc/ that will deny access outside a specified range that can be very specific.

Well, damn.

The problem is that I'll sometimes need to access my system remotely when I'm at a client's office... (and I have dozens of clients) so it's not like there's a small set of IP addresses that are well known to me to permit: it's not like there's one office computer that I want to give access to - it's a laptop that's going to be connecting from whatever LAN I have available to me - and that might not even have a static IP.

You might want to setup your firewall to only allow connections from your remote IP, or look into port knocking.

Port knocking sounds like it could be the ticket... I just wish I could find any indication that there are tools available on the Mac to facilitate the process. So far, not much luck in that regard.

[besson3c]

Originally Posted by ~bash $ 

If you suspect that this is over ssh (port 22 by default), then you need to either shut down sshd or enable TCP wrappers, which are basically two files in /etc/ that will deny access outside a specified range that can be very specific.

The two file are called hosts.allow and hosts.deny. There's a nice doc on this at:

HMUG: Unix How Tos

LS caught remote attempt at at brute force break-in to a non-admin accn of mine once, it was apparently a remote IRC server. Anyhow, good luck.

PS. It is my opinion that EVERYONE who enables sshd should be doing this already; ssh attacks are among the most persistent in the Unix/Unix-like world.

Another thing worth entertaining is putting SSH on an alternate port. This does *not* provide any more security, but it may be enough to put a damper on many of the automated scripted attacks.

On a related note, for those interested in securing their systems have you ever looked at the Nessus scanner? If so, any opinions on it?

[besson3c]

Originally Posted by eggman 

Port knocking sounds like it could be the ticket... I just wish I could find any indication that there are tools available on the Mac to facilitate the process. So far, not much luck in that regard.

If you mean GUI tools, I don't know of any, sorry!

[besson3c]

eggman: if you decide to explore port knocking, please report back your findings... I haven't really looked into this yet myself, but it's been something I've been interested in for a while!

[~bash $]

VPN is one solution. I don't know a lot about setting it up (hardware), but I do know that if you have a VPN, you can have a nice, restricted IP space once you're connected to your VPN and you can connect from anywhere. It would require that you install a VPN client on each remote machine ....

[moonmonkey]

Jesus, its like reading a foreign language.

[horseflesh]

I have run a Unix web server from my home for many, many years... before Unix was in the Mac even. I keep the ssh port open so I can get in. And every day, there are hundreds of login attempts. (and attempts to exploit known weaknesses in PHP applications, and Windows-specific virus attacks, and open mail relay probes, etc etc.)

Big deal. They don't get in.

If your ssh port is visible to the world, you will be fine as long as they can't guess your password. It is BETTER to shield the port as well as you can, that's just good cover-your-ass security practice. But OpenSSH is very mature and if some sort of remote access exploit were found it would be a huge event. If you can't know the IPs you will be coming from, leave it open to everything.

If you would like an extra layer of security, look in to ssh authentication via encrypted keys instead of passwords.

OpenSSH Public Key Authentication

You can also change what port ssh listens on. It's not much good but you'll dodge some probes that way. Personally, I do not bother. Probe me. You aren't getting in.

Also, VPN isn't a solution to this non-problem; after all, the VPN port would need to be secured in the same way as the SSH port! It's just another encrypted protocol. VPN is neat though and if you want full desktop access look in to it.

BTW you can probably tunnel a desktop sharing client over your SSH connection. I do that for the windows remote desktop client.

Good luck!

[besson3c]

The SSH public key recommendation is an excellent one. Not only is it more convenient to not have to type in your password each time, but it is also more secure (as long as you keep your private key safe), and allows for scripted automation of tasks. If you do this, I might suggest disabling password authentication on SSH. Doing so will eliminate the password entry attempts being attempted by the botnetted machines trying to access your machine.

[eggman]

Thanks, all.

I tried posting earlier and my response apparently got eaten: I looked into port knocking and it'd be more work to set up than I have time for... ultimately, I came to the conclusion articulated by horseflesh. They clearly didn't get in. I have good, strong passwords.

BTW, I have been using public key authentication... but hadn't disabled password authentication.