Ping a Specific Port

Question

CaseyIT

Asked: 2010-03-06 10:32:53 +0800 CST2010-03-06 10:32:53 +0800 CST 2010-03-06 10:32:53 +0800 CST

Unsolicited SSH connection

772

I've have had an Ubuntu 8.04 server running and on the Internet for a few days....I have Ports 21 and 22 open for FTP and SSH...All other ports are closed.

I ran

netstat

And found this

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State 

tcp6       0     68 10.7.1.71%134645824:ssh 125.211.221.145%8:47777 ESTABLISHED

It appears as if 125.211.221.145 has established an SSH connection to the server...and is sending packets out... Is it possible for someone to establish an SSH connection without authenticating?

I did Reverse DNS lookups on the address...and it seems to oringnate from China according to this resource...

http://www.ipaddresser.com/

I assume most servers are fending off stuff like this all the time, but is it unusual to have someone sit on a port like this? And is there an way to block certain IP's at the server level?

The server is sitting behind a substantial Cisco firewall ..

5 Answers

Voted

Insyte · Answer 1 · 2010-03-06T10:43:15+08:00

Best Answer

Insyte

2010-03-06T10:43:15+08:002010-03-06T10:43:15+08:00

All "ESTABLISHED" means is that the tcp session is open. It does not mean that they have successfully authenticated. Nmap, for example, will create a complete, legal TCP session when scanning port 22. (It's verifying that the daemon is sshd, checking version strings, etc.) This person could be running a simple port scanner or even attempting to brute-force your passwords.

To figure out what's actually happening, you'll need to spend some quality time with your logs. Spend most of your time looking for successful and failed logins. Also just running "who" will let you know if someone is actually logged in via that connection.

The output of last can also be useful.

8

Warner · Answer 2 · 2010-03-06T10:48:03+08:00

Warner

2010-03-06T10:48:03+08:002010-03-06T10:48:03+08:00

Insyte beat me to it.

To drop all connections from that IP:

iptables -A INPUT -s 125.211.221.145 -j DROP

3

Justin · Answer 3 · 2010-03-06T14:54:58+08:00

Justin

2010-03-06T14:54:58+08:002010-03-06T14:54:58+08:00

Don't run ssh on port 22.
Don't allow connections to whatever port you do run ssh on from the entire internet. ** If you need to connect from random locations install knockd.
Don't run ftp.

3

gareth_bowles · Answer 4 · 2010-03-06T11:50:51+08:00

gareth_bowles

2010-03-06T11:50:51+08:002010-03-06T11:50:51+08:00

You can use a package such as BlockHosts to stop all unsolicited connections of this kind. Here's a nice tutorial - it's for Debian Etch but nearly all of it applies to Ubuntu as well.

1

Wagnarock · Answer 5 · 2010-03-06T13:51:01+08:00

Wagnarock

2010-03-06T13:51:01+08:002010-03-06T13:51:01+08:00

I run a program called fail2ban which reads the logs of common daemons such as ssh and ftp. It uses regular expressions to monitor failed login attempts in those logs, and updates firewall rules to block the ip's of would be intruders. You can customize the behavior of fail2ban in ways such as how many failed attempts before an ip is blocked and how long it stays blocked. It works very well and I'm quite pleased with it. Check it out here.

Though I'm not familiar with gareth_bowles' BlackHosts, I suspect it is similar to fail2ban.

1

Unsolicited SSH connection

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?