Re: [OT] Is it possible to hide the ip in ssh connection
On 8/21/12 8:20 AM, lina wrote: On Tuesday 21,August,2012 02:52 AM, Joe wrote: On Mon, 20 Aug 2012 23:56:42 +0800 lina lina.lastn...@gmail.com wrote: On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: On 20.08.2012 18:38, lina wrote: How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. But we don't know is the attacker a person or a program, which is running without knowledge of the owner of computer. Yes, it's more like a program. but the owner in this long period has never shutdown the computer, just a bit surprised that it keeps the same ip address. A DHCP client will normally remember its IP address, even if the lease has expired, and on the next connection will request it again. If the server hasn't issued it to anyone else, it will normally comply with the request. Both server and client can be configured not to do this, but in a Windows network it will probably happen to avoid too much need for scavenging out-of-date DNS records. Assuming the link between DNS and DHCP has been set up properly. Or it may be a configured reservation in the DHCP server i.e. some form of server itself. Or the client can be explicitly configured to request that address, when it is available, but there's very little reason to do that when a reservation is a guaranteed method. Even if the attacker in this case is a human, it may be difficult or impossible to override the network policies. Configuration of networking is limited to people with admin credentials, unprivileged users cannot even issue a DHCP renewal request other than by rebooting the machine. The quick answer here is to try: host IP address, which will turn up the hostname of the offending machine if the local DNS server is properly set up. Or to at least gain the MAC address of the machine, try inserting an iptables rule on your machine to log incoming ssh connections. $ host 172.21.48.161 Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN) Nmap scan report for 172.21.48.161 Host is up (0.0021s latency). Not shown: 991 filtered ports PORT STATE SERVICE 80/tcpopen http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 515/tcp open printer 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 49154/tcp open unknown Thanks, I have drop it in the iptables. [snip] In general RETURN is more useful than DROP when you have the choice. http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/ http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject But since it is a local machine causing the problem, it should be possible to go through the network administrator and contact the owner of the offending machine directly. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50332dd8.5040...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20 August 2012 09:59:47 lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Hi lina! I followed the thread and I wonder why nobody recommended to change sshd to listen on any other port than 22, e.g. 2424. That will calm down most attacks / probing of ssh. Also I wondered why nobody recommended to install DenyHosts? I installed it on my OpenBSD gateway and it is quite funny to see which usernames and passwords are tried to get into the box. That was with sshd still listening on port 22. Now that it is on another port there were no probes whatever for about a year. Stupid hacking! Of course you need to inform your ssh users of the change. If the same machines on your own network still attack ssh than it should be easy to figure out which machine is doing that by looking at the MAC-address. Kind regards, Eike -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201208210748.04354.zp6...@gmx.net
Re: [OT] Is it possible to hide the ip in ssh connection
On Tuesday 21,August,2012 07:48 PM, Eike Lantzsch wrote: On Monday 20 August 2012 09:59:47 lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Hi lina! I followed the thread and I wonder why nobody recommended to change sshd to listen on any other port than 22, e.g. 2424. That will calm down most attacks / probing of ssh. That's very nice of you, I guess default many people had already changed that port, and they thought I would have realized that earlier it's one way of facing it. Well, I just made the change to the sshd_config to some other port and also changed the iptables. Also I wondered why nobody recommended to install DenyHosts? will install it. I installed it on my OpenBSD gateway and it is quite funny to see which usernames and passwords are tried to get into the box. That was with sshd still listening on port 22. Now that it is on another port there were no probes whatever for about a year. Stupid hacking! Of course you need to inform your ssh users of the change. If the same machines on your own network still attack ssh than it should be easy to figure out which machine is doing that by looking at the MAC-address. quite interesting, how can I know its MAC address. Today I sent the email to administrator, here quote what he answered me:Do you wish to change password just to be sure? Once you change, you let me know, I'll rsync all the password file. It could be a robot. So I think it's better not bother him much. he didn't talk the questions I asked and he referred that I should change password of those servers. Best regards, and also thanks all for your time and valuable suggestions, Kind regards, Eike -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50337a72.4070...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Tuesday 21 August 2012 08:09:22 lina wrote: On Tuesday 21,August,2012 07:48 PM, Eike Lantzsch wrote: On Monday 20 August 2012 09:59:47 lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Hi lina! I followed the thread and I wonder why nobody recommended to change sshd to listen on any other port than 22, e.g. 2424. That will calm down most attacks / probing of ssh. That's very nice of you, I guess default many people had already changed that port, and they thought I would have realized that earlier it's one way of facing it. Well, I just made the change to the sshd_config to some other port and also changed the iptables. Also I wondered why nobody recommended to install DenyHosts? will install it. I installed it on my OpenBSD gateway and it is quite funny to see which usernames and passwords are tried to get into the box. That was with sshd still listening on port 22. Now that it is on another port there were no probes whatever for about a year. Stupid hacking! Of course you need to inform your ssh users of the change. If the same machines on your own network still attack ssh than it should be easy to figure out which machine is doing that by looking at the MAC-address. quite interesting, how can I know its MAC address. arp -a and do have a look at http://denyhosts.sourceforge.net/ Today I sent the email to administrator, here quote what he answered me:Do you wish to change password just to be sure? Once you change, you let me know, I'll rsync all the password file. It could be a robot. So I think it's better not bother him much. he didn't talk the questions I asked and he referred that I should change password of those servers. Best regards, and also thanks all for your time and valuable suggestions, Again kind regards, Eike -- Eike Lantzsch ZP6CGE Casilla de Correo 1519 1209 Asuncion / Paraguay -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201208210828.33545.zp6...@gmx.net
Re: [OT] Is it possible to hide the ip in ssh connection
On Tue, Aug 21, 2012 at 01:39:42PM +0800, lina wrote: I felt I made some mistakes before, like put the public keys from those servers into my own laptop, just for the convinence of connection. I am on my way correcting my mistakes. Public keys are meant to be public, its the secret/private key(s) you should be protecting. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120822015440.GA15009@tal
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. I do know very little, Thanks again, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5032437f.3090...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
Le lundi 20 août 2012 à 22:02 +0800, lina a écrit : On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. An IP address is like your (real) home address. You are free to send a letter without your true home address on it. You can spoof it. But then, don't expect a reply: if one is sent, the recipient would be the one whom address has been spoofed by you. ssh is like a mail correspondence between you and the remote server: if you spoof your IP address, you wont be able to use it because you wont get any reply. As well, I guess knowing a home address has never helped any robber to break into a house. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345472549.4593.19.ca...@p76-nom-gd.cnrs-imn.fr
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 20 Aug 2012 21:59:47 +0800, lina wrote: I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), You mean to hide your ssh remote connecting IP address? If you have several outgoing network devices you can choose between them to stablish a connection by means of -b argument. Also, Google seems to return a bunch of results: http://en.lmgtfy.com/?q=ssh+fake+ip+address Anyway, I wonder what's what you fear of. You can hide your originating IP but your username and your activities can be still tracked at least by the admins :-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/k0thrp$mg3$9...@ger.gmane.org
Re: [OT] Is it possible to hide the ip in ssh connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.08.2012 16:59, lina wrote: I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Try proxychains and tor. [Homepage] of proxychains says * Run SSH, telnet, wget, ftp, apt, vnc, nmap through proxy servers. [Homepage]:http://proxychains.sourceforge.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQMkx3AAoJEE21PP6CpGcoBrgP/0KfXYeypxP6XTDYyQskkPv3 Ig7kNwCaTR54hb0OfShFgvQ6/rsoEmb4BkNmP7leuX3wK5pGnMWKOVxUOuOPWOP9 3wjx/B/AkUsYyPYb1QccZ9S20CsOS8C6zXzIkdAKbk3dCRWOj0wa+tcl3h5yGTzR PsLo9WZ2Hb1OLwoI2qNzlvxRfduVtnXrX4QC1fN3lMnxC7Y5Lx+JBhE9saST7C/f 4NG8/CQYNoJ0nbRwmh4fgcAE5+8uB5HA7R2PvRrvjrT7rWBCpTf0c2ZS5bpYDxA6 rnBdIcwMLaXA+beSC6NTYU0Hr4TkR8HY6DKASExEVQSluOvWP6z3mf5ggw51+HYS sby7hOjOuLvbDKDLQJ/FbAUQ/EixwH+G4Wvpph3fvo6kH5s/MjbXxJfZw7hLUgGV F7N7RUu8QNV5jJo1ZP5YY6bGd8NQenJF8Go4q9yVVyKgzFfdtAswcGtu7VNYZ00v 4kyogGQv7b6p3huXqrjVS9Mc9GUQ256G5mttzaUyR4aE4/nSC5hbu0fhu+I83Pyb mBtn+H+9O+O6XWB/OgVhWLCZb3PY+NAM8TvxKpoOJGHPigHQ7iDVrqAzapV82Xl/ cBGwHSyHvGGe2PTbtgyeZEgsnSI/fBlsRxg9Z49CewN5tFWM2sUwOGbU3diLA+rx WsIYeUhRUl2kU6Zy3vIK =ZRIM -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50324c79.40...@users.sourceforge.net
Re: [OT] Is it possible to hide the ip in ssh connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.08.2012 17:02, lina wrote: On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. If you have SSHd and that is what you are worried about, grep ssh from /var/log/auth.log . I'm not sure does that require loglevel being VERBOSE in sshd_config. And you might also want to install something like SSHGuard (package sshguard) to protect your SSHd and other services, which it protects from attackers. http://www.sshguard.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQMk1TAAoJEE21PP6CpGco1eAP/jYli35Dg3KGtL1S8T68yNqM oqIs02FFR6iQZongOzOpo3l4q53O5rXbKz9g43rCWKRQyIlrByObHPAOHlwv6Jcv lmXT0KUHR88ODBRVFq5Zu7pTDOoSEseif7tAF+HBWLwl5FwvplU9/WRLKE1UnRni 1vGbWyqAKTzekmbywQyqxfuqE4alDIRDvPQBawHJwsWmUPLJQiBKPUy/MZ9VhVWM wvpdGTzoEtU2DUH+f+reuC0UakU45mwAYtb+WV4m82vM5AxS+PUzMvOOwKJUSqe+ +6vuoeJymLUQfb9/wbdyMPcaQ17tauI3w7ltWEKSpO1X89pahC78EeAhHO+YPC46 bNJFHEEzbcD7T24QPz5vkdGQY5QOZ+vcoo0ViaXX1FrqdWPAVbIN5vkSXdBMM/DD VptVPVPdBAd1XqHOexaED6qt1iSoL62RuZ9oODfJ8wAJ54D14MZVM0fgXTDH44N6 k774M5/Y3krEmlT5ddscyKMznBnX6JkQobE8DHxBS3UnsqTZU+iKyScNyuGlPDjV 5XeEL2iSINoH7WIKqOu9fZSqTEmGLk9KRp4RrBm/eHVv/0T2GAYLtja+wZ28ZzCB aWxuq+z2QDegKHKAgvWTGwV3kRLLuWWXtmR2EmXYXVoUzS050q9Faha5khfEPAAl CJZSYl37IcGrZyNugz/i =O+FX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50324d55.10...@users.sourceforge.net
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 2012-08-20 at 16:22 +0200, Gaël DONVAL wrote: Le lundi 20 août 2012 à 22:02 +0800, lina a écrit : On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. An IP address is like your (real) home address. [snip] No it's not, it's still secret enough for averaged usage. Only a curt is able to allow that your IP becomes as open as your (real) home address and that just to a small group of known people. Everybody has a right of private sphere and IP addresses keep private sphere. If you plan to bomb the Deutsche Parlament, than don't worry about security issues regarding to the IP address. If so, you need completely different security, but hiding your IP. If you, Lina, worry stalking from an ex-boyfriend, than the IP address is something that he doesn't need, since he knows too much about you, that is much more informing, how and where you live today. Conspiration, stalking etc. does happen, but usually nobody needs an IP. Idiots as lawyers need an IP, to sue fans of mainstream pop-rock-bands. The Federal (German) Intelligence Service prefers profilers. Read the magazine conspiracy theorist today :p. Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345474061.1285.47.camel@localhost.localdomain
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote: On 20.08.2012 17:02, lina wrote: On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. If you have SSHd and that is what you are worried about, grep ssh from /var/log/auth.log . This is the first time I know the auth.log Aug 20 16:06:14 Debian sshd[10509]: Did not receive identification string from 172.21.48.161 Aug 20 16:06:42 Debian sshd[10510]: Invalid user administrator from 172.21.48.161 Aug 20 16:06:43 Debian sshd[10510]: Failed password for invalid user administrator from 172.21.48.161 port 56139 ssh2 Aug 20 16:06:44 Debian sshd[10510]: Connection closed by 172.21.48.161 [preauth] 172.21.48.161 is not the ip of any servers I connected to. and for ssh I use public keys to connect to sever, don't use password. For the whole day I didn't shut down the laptop, 172.21.50.108 is the ip, and furthermore I checked # more syslog | grep 172.21.48.161 # more syslog.1 | grep 172.21.48.161 my laptop has never been bound to this IP before. I don't know shall I be a bit appalled or not. I'm not sure does that require loglevel being VERBOSE in sshd_config. And you might also want to install something like SSHGuard (package sshguard) to protect your SSHd and other services, which it protects from attackers. http://www.sshguard.net/ Thanks very much. Best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5032531f.2000...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
It looks like it is possible to use Tor as a proxy: http://www.howtoforge.com/anonymous-ssh-sessions-with-tor If this document is correct, it is very easy to set up. That would obfuscate the ip number you are connecting from by adding a jump in the middle. The target server would only see that last step. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/503254a9.6080...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote: On 20.08.2012 17:02, lina wrote: On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. If you have SSHd and that is what you are worried about, grep ssh from /var/log/auth.log . BTW, what is the 172.21.48.161, seems in the old auth.log* also has this one. # zmore auth.log.2.gz | grep 172.21.48.161 Aug 5 16:05:13 Debian sshd[15369]: Did not receive identification string from 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: Invalid user administrator from 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 5 16:05:38 Debian sshd[15370]: Failed password for invalid user administrator from 172.21.48.161 port 54999 ssh2 Aug 5 16:05:40 Debian sshd[15370]: Connection closed by 172.21.48.161 [preauth] Aug 6 04:04:45 Debian sshd[19015]: Did not receive identification string from 172.21.48.161 Aug 6 04:05:09 Debian sshd[19016]: Invalid user administrator from 172.21.48.161 Aug 6 04:05:09 Debian sshd[19016]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 6 04:05:10 Debian sshd[19016]: Failed password for invalid user administrator from 172.21.48.161 port 59847 ssh2 Aug 6 04:05:11 Debian sshd[19016]: Connection closed by 172.21.48.161 [preauth] Aug 6 16:06:08 Debian sshd[23030]: Did not receive identification string from 172.21.48.161 Aug 6 16:06:29 Debian sshd[23032]: Invalid user administrator from 172.21.48.161 Aug 6 16:06:29 Debian sshd[23032]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 6 16:06:31 Debian sshd[23032]: Failed password for invalid user administrator from 172.21.48.161 port 49880 ssh2 Aug 6 16:06:32 Debian sshd[23032]: Connection closed by 172.21.48.161 [preauth] Aug 7 04:04:44 Debian sshd[916]: Did not receive identification string from 172.21.48.161 Aug 7 04:05:07 Debian sshd[917]: Invalid user administrator from 172.21.48.161 Aug 7 04:05:07 Debian sshd[917]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 7 04:05:09 Debian sshd[917]: Failed password for invalid user administrator from 172.21.48.161 port 55548 ssh2 Aug 7 04:05:23 Debian sshd[917]: Connection closed by 172.21.48.161 [preauth] Thanks again, Best regards, I'm not sure does that require loglevel being VERBOSE in sshd_config. And you might also want to install something like SSHGuard (package sshguard) to protect your SSHd and other services, which it protects from attackers. http://www.sshguard.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/503254ab.8030...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote: On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote: On 20.08.2012 17:02, lina wrote: On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. If you have SSHd and that is what you are worried about, grep ssh from /var/log/auth.log . BTW, what is the 172.21.48.161, seems in the old auth.log* also has this one. You need to ask, not what is, but who is. More specifically: $ whois 172.21.48.161 [...] NetRange: 172.16.0.0 - 172.31.255.255 CIDR: 172.16.0.0/12 OriginAS: NetName:PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED NetHandle: NET-172-16-0-0-1 Parent: NET-172-0-0-0-0 NetType:IANA Special Use [...] In other words, it's someone else on your network. [cut] Thanks again, Best regards, I'm not sure does that require loglevel being VERBOSE in sshd_config. And you might also want to install something like SSHGuard (package sshguard) to protect your SSHd and other services, which it protects from attackers. http://www.sshguard.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/503254ab.8030...@gmail.com signature.asc Description: Digital signature
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 11:21 PM, Darac Marjal wrote: On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote: On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote: On 20.08.2012 17:02, lina wrote: On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. If you have SSHd and that is what you are worried about, grep ssh from /var/log/auth.log . BTW, what is the 172.21.48.161, seems in the old auth.log* also has this one. You need to ask, not what is, but who is. More specifically: $ whois 172.21.48.161 [...] NetRange: 172.16.0.0 - 172.31.255.255 CIDR: 172.16.0.0/12 OriginAS: NetName:PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED NetHandle: NET-172-16-0-0-1 Parent: NET-172-0-0-0-0 NetType:IANA Special Use [...] In other words, it's someone else on your network. So I am under regular attacks recently, very gentle attack, only tried few times each day? How do I know who has this IP address? why s/he didn't change? unbelievable, hope I am wrong here. Best regards, [cut] Thanks again, Best regards, I'm not sure does that require loglevel being VERBOSE in sshd_config. And you might also want to install something like SSHGuard (package sshguard) to protect your SSHd and other services, which it protects from attackers. http://www.sshguard.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/503254ab.8030...@gmail.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5032583e.70...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.08.2012 18:15, lina wrote: BTW, what is the 172.21.48.161, seems in the old auth.log* also has this one. # zmore auth.log.2.gz | grep 172.21.48.161 Aug 5 16:05:13 Debian sshd[15369]: Did not receive identification string from 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: Invalid user administrator from 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 5 16:05:38 Debian sshd[15370]: Failed password for invalid user administrator from 172.21.48.161 port 54999 ssh2 ... For me it looks like a bot, which is trying to guess usernames and passwords to your system. If you had sshguard or something similar installed, you would also see message about that host being banned, because of failed authentications. Thanks again, You're welcome :) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQMljbAAoJEE21PP6CpGcokD8P+QEwW6fcdsR2fGqcmfhIlVt9 SdF9HCZ5pL1j5P5VrddRpEYq0aEQrxDyTe7dSiNepR+V+Xs5uh+v/MZjm1b4kuPi QN65VWxMJWMuKKp98ZrJ/llIw0rkI+CVXIH4FJnON70J5IuHZJjO17SV3lO+TYyP BwclQm7kGqDUuBzUv2ZllnH7sisdyhqVMm+uX7D0u3laJilbEZVlJTB+UF6FAPqJ 9iR5gam0nU1fPjDZpm7CzDpfgrrh1Akte1TRF6D2yikJeeXWq/nCeL7A/w8fGe8W m8vj4bdomJYP7ogx4BqPGo9wGfoMFNTAqpAQQMgS33IAmQNUM+PI1CgXZXpF19jN EdeTBxjAcxZnynI1yLR5kCJBIxR9fkkbTME5I16QVlnVqb9IkjsMbny7XdrHZ9bj cR6pYE0LPF8XCID5zWWjJPj5rYmJSyQYPZ1lEcqjZmJ9wWRf0xTRuirhKFBS8KiN UaeOz1XcyJ++rJmv+l94xv1h+ZcDdHCoKMLzYvxLTn9eOJD8d9Cz/4o+5ZemaLCO L/c5JWLySWDPmMz8pH3o4TDSukmu1FTSgdgv1KS/m8Yfk8U7tmVWprs3QOftIUUA 5gXgRDiHlXLs1TtqI4JzDD4SM+W1xIq/3qjH+t6QEvH6lIGiVPzzjLAd7uiySP+f TYuL0ElasnGztTx/nR+s =FwK3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/503258dd.6000...@users.sourceforge.net
Re: [OT] Is it possible to hide the ip in ssh connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.08.2012 18:31, lina wrote: So I am under regular attacks recently, very gentle attack, only tried few times each day? At least your auth.log says so and it shouldn't lie. How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQMllIAAoJEE21PP6CpGcoOP8QALmkYhizhEORUT+0/BZt6IRX V7iApVJF+X/4vqx4vgBjNBeRNMr6SQmee+6umrm/DQdOsZxMJpmbXXvAZGX+5x3f gD3d9FyagvbGfZqHzT1OUxmcr7SkMcd1aBE0/aLmSATc7dvdXU9m4cj4PuXmLt7S jO8GGnV1TIjaR+pLwLhJIrVm+FCjDirpwQgNQcFLrwKe/9I9/xTvF4Sfc4rPGeQP I7KQFeoA/yS7qacgSFh4BqoOrTSUXfJ1RnKL4mKREn/GFqFLF4mxXPmXBNh2tRe+ DEprN90bCXFm++T2M+wvjhSYWlW/Te5skxVOSQ0FR8qu3Gcfg8yW09HwYG4JfjFE eJKn2inh7kgrfYoP2ssHzNuOnhWv8H1bqSkDCKJ/WDhtvV2NIa7QuHsP2igibJfY j3KlSCBszCJ3M+l/RAn85A1JXJNA5Hxh0aOW9ziwdJR9AbUdWOHjJHkvSDJr5qsj T2RW+gpOVspORCU5VNrM6w4V1HFRjjzLri2KNkrSatlfUAQjXctLgr/FHId8vGM/ j1Q2SW8fZvJIW9STTcS/9YTI6S2YBLrKGEBNR7lA9MZA6qu4aG4gahHi+tDPWqD1 0+oXdxdVs9KxNDTAdkSkRaJjvJQAOjn/WP2B2e5FrtIKVsN86izxabwJ9nTfnOV6 dafdCZWa05wdW4ycrTAe =gq/2 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5032594b.9050...@users.sourceforge.net
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 11:33 PM, Mika Suomalainen wrote: On 20.08.2012 18:15, lina wrote: BTW, what is the 172.21.48.161, seems in the old auth.log* also has this one. # zmore auth.log.2.gz | grep 172.21.48.161 Aug 5 16:05:13 Debian sshd[15369]: Did not receive identification string from 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: Invalid user administrator from 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 5 16:05:38 Debian sshd[15370]: Failed password for invalid user administrator from 172.21.48.161 port 54999 ssh2 ... For me it looks like a bot, which is trying to guess usernames and passwords to your system. If you had sshguard or something similar installed, you would also see message about that host being banned, because of failed authentications. I have just installed the sshguard, I checked the time of the attempt connection from this ip, it's quite regular. more like some program doing those things. Aug 13 16:07:31 Aug 13 16:07:52 Aug 13 16:07:52 Aug 13 16:07:54 Aug 13 16:08:07 Aug 14 16:08:16 Aug 14 16:08:42 Aug 14 16:08:42 Aug 14 16:08:45 Aug 14 16:08:46 Aug 16 16:08:29 Aug 16 16:08:53 Aug 16 16:08:53 Aug 16 16:08:55 Aug 16 16:08:56 Aug 5 16:05:13 Aug 5 16:05:36 Aug 5 16:05:36 Aug 5 16:05:38 Aug 5 16:05:40 Aug 6 04:04:45 Aug 6 04:05:09 Aug 6 04:05:09 Aug 6 04:05:10 Aug 6 04:05:11 Aug 6 16:06:08 Aug 6 16:06:29 Aug 6 16:06:29 Aug 6 16:06:31 Aug 6 16:06:32 Aug 7 04:04:44 Aug 7 04:05:07 Aug 7 04:05:07 Aug 7 04:05:09 Aug 7 04:05:23 Jul 29 16:07:53 Jul 29 16:08:14 Jul 29 16:08:14 Jul 29 16:08:15 Jul 29 16:08:22 Aug 2 16:07:50 Aug 2 16:08:11 Aug 2 16:08:11 Aug 2 16:08:13 Aug 2 16:08:18 Aug 4 16:05:38 Aug 4 16:05:58 Aug 4 16:05:59 Aug 4 16:06:01 Aug 4 16:06:02 Aug 5 04:04:42 Aug 5 04:05:05 Aug 5 04:05:05 Aug 5 04:05:07 Aug 5 04:05:08 Jul 27 16:10:23 Jul 27 16:10:43 Jul 27 16:10:43 Jul 27 16:10:45 Jul 27 16:10:48 Jul 28 16:08:09 Jul 28 16:08:29 Jul 28 16:08:30 Jul 28 16:08:31 Jul 28 16:08:32 Jul 29 04:06:20 Jul 29 04:06:43 Jul 29 04:06:43 Jul 29 04:06:46 Jul 29 04:06:47 Thanks again, Thanks again, You're welcome :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50325992.1060...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 11:35 PM, Mika Suomalainen wrote: On 20.08.2012 18:31, lina wrote: So I am under regular attacks recently, very gentle attack, only tried few times each day? At least your auth.log says so and it shouldn't lie. How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/503259e5.2070...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.08.2012 18:38, lina wrote: How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. But we don't know is the attacker a person or a program, which is running without knowledge of the owner of computer. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQMlulAAoJEE21PP6CpGcohZ0QAMcDK3UsVBR6/+gfapARZ8Ha +L3IwGJ7AswTCK5Us8JLzRFZfjRq9xuXnOJDXnv6yJqU2yZ1iPlHUl8m/qBfQmiO MFksArOyfqveH1lsG+nUGsJBM5dCE6iObGVRf9Z/+FnVq7ueEJMYVsCQS9Z13zR3 VD5Qzfup0cN//ebdTFdRAhOEgUZYenQkZlo7Inde+Gi91W4QXUL1xckilLd91cs8 /+UHz/HL196kV4OTLOomGZ+lnR4evE/PTHxGn1E1zC14fVEU0lZKOz3AznF2SGTv ilFes+OrcIt0UGXC/+JnfeOXuvVotKQ1o7DUQOUiB/1XaUP/mlN1nlWIold1hsRL 5Cl/WHvT55/DMt+Ou9Pss40iXzLLtCWdfQMxipHGtITUltfhcAOPRpDasfRjmyFi veExhexYlQr9yByT2EnLQv26t7xeSNQvLJWQXVelz3fzEoobVrMYDYsjivOLfyZV pFB2QZlz4Pr0bxYGVZX5fWgthAfmwkne9nRB1ATjN8WX3l2zhgU5wB8jkNRlw8GH f7tYrwpBNLieB+bF+jrAxSxCmRgD9ill6rGNbXpSdV2hVyJ41yze7dWWVNb2zegz UKwQlSmrVM4OZ4y1bNeAY+Qgj8snCf5FYa5cV7Vf2Hoiki7qnZX78YfuedWy/K3M kdSJYAf4LgynIGBsdhNr =1JLc -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50325ba8.9000...@users.sourceforge.net
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: On 20.08.2012 18:38, lina wrote: How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. But we don't know is the attacker a person or a program, which is running without knowledge of the owner of computer. Yes, it's more like a program. but the owner in this long period has never shutdown the computer, just a bit surprised that it keeps the same ip address. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50325e3a.2010...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
Le lundi 20 août 2012 à 23:38 +0800, lina a écrit : On Monday 20,August,2012 11:35 PM, Mika Suomalainen wrote: On 20.08.2012 18:31, lina wrote: So I am under regular attacks recently, very gentle attack, only tried few times each day? Too few attempts, none succeeded. Something on your network might be misconfigured. If you really want to be safe with ssh, be sure root login is disable, switch to certificate based authentication and disable password authentication. How do I know who has this IP address? Is that on a personal network? Can you access your router logs? The second question is that for those days, the attacker should think of renew its ip address. not from the same one. Not necessarily: my router for instance associates IP addresses with MAC addresses in a static way. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345481319.4593.116.ca...@p76-nom-gd.cnrs-imn.fr
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20 August 2012 16:56:42 lina wrote: just a bit surprised that it keeps the same ip address. Why? Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201208201757.27158.lisi.re...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 2012-08-20 at 23:56 +0800, lina wrote: On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: On 20.08.2012 18:38, lina wrote: How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. But we don't know is the attacker a person or a program, which is running without knowledge of the owner of computer. Yes, it's more like a program. but the owner in this long period has never shutdown the computer, just a bit surprised that it keeps the same ip address. I didn't follow the thread. I recommend to use some network protocol analyzer, OTOH such software can become an additional security risk, e.g. http://wiki.wireshark.org/Security -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345482629.1285.56.camel@localhost.localdomain
Re: [OT] Is it possible to hide the ip in ssh connection
On Monday 20,August,2012 11:15 PM, Lars Noodén wrote: It looks like it is possible to use Tor as a proxy: http://www.howtoforge.com/anonymous-ssh-sessions-with-tor If this document is correct, it is very easy to set up. That would obfuscate the ip number you are connecting from by adding a jump in the middle. The target server would only see that last step. I followed the instruction from link, but during connection it showed me: [warn] Got SOCKS5 status response '4': host is unreachable /bin/bash: line 0: exec: connect: not found ssh_exchange_identification: Connection closed by remote host kinda of tricky? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5032656f.20...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
Now I read some more mails of this thread. It's not surprising that everybody connected to the Internet is attacked. authentication failure doesn't lead to a serious issue, but vice versa it says the attacks were useless. And I'm sure, they will be useless in the future too. Lina, perhaps you are oversensitive. Understandable, but less good for your blood pressure ;). Sometimes less is more. I know at least one person who forced auto-logout for root terminal sessions, if root didn't use the terminal for a minute ;). Such thoughts aren't paranoid, but they IMHO are oversensitive. 2 Cents, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345487641.1285.71.camel@localhost.localdomain
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 20 Aug 2012 23:56:42 +0800 lina lina.lastn...@gmail.com wrote: On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: On 20.08.2012 18:38, lina wrote: How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. But we don't know is the attacker a person or a program, which is running without knowledge of the owner of computer. Yes, it's more like a program. but the owner in this long period has never shutdown the computer, just a bit surprised that it keeps the same ip address. A DHCP client will normally remember its IP address, even if the lease has expired, and on the next connection will request it again. If the server hasn't issued it to anyone else, it will normally comply with the request. Both server and client can be configured not to do this, but in a Windows network it will probably happen to avoid too much need for scavenging out-of-date DNS records. Assuming the link between DNS and DHCP has been set up properly. Or it may be a configured reservation in the DHCP server i.e. some form of server itself. Or the client can be explicitly configured to request that address, when it is available, but there's very little reason to do that when a reservation is a guaranteed method. Even if the attacker in this case is a human, it may be difficult or impossible to override the network policies. Configuration of networking is limited to people with admin credentials, unprivileged users cannot even issue a DHCP renewal request other than by rebooting the machine. The quick answer here is to try: host IP address, which will turn up the hostname of the offending machine if the local DNS server is properly set up. Or to at least gain the MAC address of the machine, try inserting an iptables rule on your machine to log incoming ssh connections. e.g in your INPUT chain, just before the ssh -j ACCEPT command: iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix SSH IN: which will normally log to syslog and also /var/log/debug. I'd have thought the network admin would keep a list of MAC addresses on the network. If fact, the easiest answer of all is for the admin to look at the DHCP and DNS server records. Or there are programs which will scan the network for hostnames, MAC addresses and open ports, but I couldn't possibly suggest the use of such software, which may well be a hanging offence in some places. On the other hand, they're harbouring an ssh worm... -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120820195214.3d2db...@jretrading.com
Re: [OT] Is it possible to hide the ip in ssh connection
On 8/20/12 7:27 PM, lina wrote: On Monday 20,August,2012 11:15 PM, Lars Noodén wrote: It looks like it is possible to use Tor as a proxy: http://www.howtoforge.com/anonymous-ssh-sessions-with-tor If this document is correct, it is very easy to set up. That would obfuscate the ip number you are connecting from by adding a jump in the middle. The target server would only see that last step. I followed the instruction from link, but during connection it showed me: [warn] Got SOCKS5 status response '4': host is unreachable /bin/bash: line 0: exec: connect: not found ssh_exchange_identification: Connection closed by remote host [snip] The package connect-proxy contains the utility connect. That has to be installed. You might also consider using Vidalia to manage Tor. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50328b41.9010...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On 20/08/12, Joe (j...@jretrading.com) wrote: On Mon, 20 Aug 2012 23:56:42 +0800 lina lina.lastn...@gmail.com wrote: On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: ... e.g in your INPUT chain, just before the ssh -j ACCEPT command: iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix SSH IN: Or just add the intruder's address in place of xxx.etc in /etc/init.d/iptables.rules: iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP Works only for the one, of course. -- johnrchamp...@wowway.com GPG key 1024D/99421A63 2005-01-05 EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63 gpg --keyserver subkeys.pgp.net --recv-keys 99421A63 signature.asc Description: Digital signature
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 2012-08-20 at 22:08 +0300, Lars Noodén wrote: On 8/20/12 7:27 PM, lina wrote: On Monday 20,August,2012 11:15 PM, Lars Noodén wrote: It looks like it is possible to use Tor as a proxy: http://www.howtoforge.com/anonymous-ssh-sessions-with-tor If this document is correct, it is very easy to set up. That would obfuscate the ip number you are connecting from by adding a jump in the middle. The target server would only see that last step. I followed the instruction from link, but during connection it showed me: [warn] Got SOCKS5 status response '4': host is unreachable /bin/bash: line 0: exec: connect: not found ssh_exchange_identification: Connection closed by remote host [snip] The package connect-proxy contains the utility connect. That has to be installed. You might also consider using Vidalia to manage Tor. Regards, /Lars I thought using tor was a joke :( or a hint, that too much security at some point really is too much. I don't have much knowledge about the Internet, but I'm sure tor in this case (IMO in any case) is idiotic. Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno, just for surfing the web. It's not usable for serious work. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345490303.1285.78.camel@localhost.localdomain
Re: [OT] Is it possible to hide the ip in ssh connection
On 8/20/12 10:18 PM, Ralf Mardorf wrote: On Mon, 2012-08-20 at 22:08 [snip] I thought using tor was a joke :( or a hint, that too much security at some point really is too much. I don't have much knowledge about the Internet, but I'm sure tor in this case (IMO in any case) is idiotic. Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno, just for surfing the web. It's not usable for serious work. Tor is intended for privacy, not security, and fulfills that reasonably well when used for web browsing. I'm not sure though of a use-case for combining it with SSH beyond the obvious 'because I can' Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50328e89.7040...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 2012-08-20 at 22:22 +0300, Lars Noodén wrote: On 8/20/12 10:18 PM, Ralf Mardorf wrote: On Mon, 2012-08-20 at 22:08 [snip] I thought using tor was a joke :( or a hint, that too much security at some point really is too much. I don't have much knowledge about the Internet, but I'm sure tor in this case (IMO in any case) is idiotic. Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno, just for surfing the web. It's not usable for serious work. Tor is intended for privacy, not security, and fulfills that reasonably well when used for web browsing. I'm not sure though of a use-case for combining it with SSH beyond the obvious 'because I can' I experienced tor as to slow, just for using it with a browser, a long time ago. It might be faster today. Off-list, somebody with perhaps some knowledge, mentioned to slow too, regarding to the usage that is wanted in this case. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345491940.1285.88.camel@localhost.localdomain
Re: [OT] Is it possible to hide the ip in ssh connection
On Mon, 2012-08-20 at 21:45 +0200, Ralf Mardorf wrote: On Mon, 2012-08-20 at 22:22 +0300, Lars Noodén wrote: On 8/20/12 10:18 PM, Ralf Mardorf wrote: On Mon, 2012-08-20 at 22:08 [snip] I thought using tor was a joke :( or a hint, that too much security at some point really is too much. I don't have much knowledge about the Internet, but I'm sure tor in this case (IMO in any case) is idiotic. Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno, just for surfing the web. It's not usable for serious work. Tor is intended for privacy, not security, and fulfills that reasonably well when used for web browsing. I'm not sure though of a use-case for combining it with SSH beyond the obvious 'because I can' I experienced tor as to slow, just for using it with a browser, a long time ago. It might be faster today. Off-list, somebody with perhaps some knowledge, mentioned to slow too, regarding to the usage that is wanted in this case. PS: Perhaps an expert is that kind, to give a serious answer, to avoid that Lina set up something useless or to confirm, that in this case, it is useful. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345492700.1285.91.camel@localhost.localdomain
Re: [OT] Is it possible to hide the ip in ssh connection
On Tuesday 21,August,2012 02:52 AM, Joe wrote: On Mon, 20 Aug 2012 23:56:42 +0800 lina lina.lastn...@gmail.com wrote: On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: On 20.08.2012 18:38, lina wrote: How do I know who has this IP address? why s/he didn't change? You probably don't. I don't understand this second question. The second question is that for those days, the attacker should think of renew its ip address. not from the same one. But we don't know is the attacker a person or a program, which is running without knowledge of the owner of computer. Yes, it's more like a program. but the owner in this long period has never shutdown the computer, just a bit surprised that it keeps the same ip address. A DHCP client will normally remember its IP address, even if the lease has expired, and on the next connection will request it again. If the server hasn't issued it to anyone else, it will normally comply with the request. Both server and client can be configured not to do this, but in a Windows network it will probably happen to avoid too much need for scavenging out-of-date DNS records. Assuming the link between DNS and DHCP has been set up properly. Or it may be a configured reservation in the DHCP server i.e. some form of server itself. Or the client can be explicitly configured to request that address, when it is available, but there's very little reason to do that when a reservation is a guaranteed method. Even if the attacker in this case is a human, it may be difficult or impossible to override the network policies. Configuration of networking is limited to people with admin credentials, unprivileged users cannot even issue a DHCP renewal request other than by rebooting the machine. The quick answer here is to try: host IP address, which will turn up the hostname of the offending machine if the local DNS server is properly set up. Or to at least gain the MAC address of the machine, try inserting an iptables rule on your machine to log incoming ssh connections. $ host 172.21.48.161 Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN) Nmap scan report for 172.21.48.161 Host is up (0.0021s latency). Not shown: 991 filtered ports PORT STATE SERVICE 80/tcpopen http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 515/tcp open printer 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 49154/tcp open unknown Thanks, I have drop it in the iptables. e.g in your INPUT chain, just before the ssh -j ACCEPT command: iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix SSH IN: which will normally log to syslog and also /var/log/debug. I'd have thought the network admin would keep a list of MAC addresses on the network. If fact, the easiest answer of all is for the admin to look at the DHCP and DNS server records. Or there are programs which will scan the network for hostnames, MAC addresses and open ports, but I couldn't possibly suggest the use of such software, which may well be a hanging offence in some places. On the other hand, they're harbouring an ssh worm... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50331a9a.2080...@gmail.com
Re: [OT] Is it possible to hide the ip in ssh connection
On Tuesday 21,August,2012 03:12 AM, unruh wrote: Everyone suffers these attacks. They are simply part of a toolset which crackers use to try to gain entry into Linux machines. As long as you have good passwords do not worry. You will also suffer attacks on various Windows ports. If you want you can use /etc/hosts.allow to weed out outside machines that try these attacks, eitehr manually or with programs. You cannot hide your IP or noone in the world could ever ssh into your system, making ssh useless for your users. Also your attacks appear to be local attacks-- Ie from someone on you own network. They know who you are. That's why I am a bit scared. And sometimes I received unknown calls, when I answered, no sounds. a bit scary. I disliked so much that the one who is in charge of the place asked our phone number and put all our contact info. on table in front of the door window. The good excuses was that if there is a fire, someone could find our contact information easily, damn, if there is a fire, this paper will burn out before s/he can read. In linux.debian.user, you wrote: On Monday 20,August,2012 11:21 PM, Darac Marjal wrote: On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote: On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote: On 20.08.2012 17:02, lina wrote: On Monday 20,August,2012 09:59 PM, lina wrote: Hi, I ssh to a server which has 400+ users, active ones around 100. Frankly speaking, I would feel comfortable to hide my IP if possible, any suggestions (I checked the spoof, but seems not positive), Thanks with best regards, Another question, how do I know whether there are some people are attempting to invade my laptop, my username, ip are all exposed there. If you have SSHd and that is what you are worried about, grep ssh from /var/log/auth.log . BTW, what is the 172.21.48.161, seems in the old auth.log* also has this one. You need to ask, not what is, but who is. More specifically: $ whois 172.21.48.161 [...] NetRange: 172.16.0.0 - 172.31.255.255 CIDR: 172.16.0.0/12 OriginAS: NetName:PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED NetHandle: NET-172-16-0-0-1 Parent: NET-172-0-0-0-0 NetType:IANA Special Use [...] In other words, it's someone else on your network. So I am under regular attacks recently, very gentle attack, only tried few times each day? How do I know who has this IP address? why s/he didn't change? It is someone on your own network. If yo uare at a University it is someone there. Find out from the network people who has that IP. But it is highly probably that they ahve no idea that they are launching those attacks because their windows machine has had attack software installed on it after their systems were broken. Those desktop here only administrator and staff has the privilege to install the software on it. unbelievable, hope I am wrong here. About what? You are an administrator and just discovering that these kinds of attack take place regularly? I felt I made some mistakes before, like put the public keys from those servers into my own laptop, just for the convinence of connection. I am on my way correcting my mistakes. Best regards, Best regards, [cut] Thanks again, Best regards, I'm not sure does that require loglevel being VERBOSE in sshd_config. And you might also want to install something like SSHGuard (package sshguard) to protect your SSHd and other services, which it protects from attackers. http://www.sshguard.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50331f1e.1090...@gmail.com
