# Weird ssh connections, not made by me

## audiodef

While examining /var/log/messages, I noticed stuff like this:

```

Jan 11 21:08:21 serverdef sshd[19050]: Did not receive identification string from 95.249.60.207 port 37765

Jan 11 21:08:31 serverdef sshd[19054]: SSH: Server;Ltype: Version;Remote: 95.249.60.207-37989;Protocol: 2.0;Client: Go

Jan 11 21:08:32 serverdef sshd[19054]: SSH: Server;Ltype: Kex;Remote: 95.249.60.207-37989;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]

Jan 11 21:08:44 serverdef sshd[19054]: Connection closed by 95.249.60.207 port 37989 [preauth]

Jan 11 21:08:45 serverdef sshd[19061]: SSH: Server;Ltype: Version;Remote: 95.249.60.207-38248;Protocol: 2.0;Client: Go

Jan 11 21:08:45 serverdef sshd[19061]: SSH: Server;Ltype: Kex;Remote: 95.249.60.207-38248;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]

Jan 11 21:09:00 serverdef sshd[19061]: Connection closed by 95.249.60.207 port 38248 [preauth]

Jan 11 21:09:01 serverdef sshd[19071]: SSH: Server;Ltype: Version;Remote: 95.249.60.207-38567;Protocol: 2.0;Client: Go

Jan 11 21:09:01 serverdef sshd[19071]: SSH: Server;Ltype: Kex;Remote: 95.249.60.207-38567;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]

Jan 11 21:09:13 serverdef sshd[19071]: Connection closed by 95.249.60.207 port 38567 [preauth]

```

What is this? Should I be concerned? If so, how do I put the kibosh on it?

----------

## eccerr0r

Still wet behind the ears checking logs? j/k

Just make sure you have a good secure password for all accounts, and don't worry about it.

If you're that worried about it, other than disabling sshd access from the outside, you'll have to do one or more of these:

1 - run a vpn and only allow ssh after vpn connect

2 - run sshd on another port

3 - implement port knocking or some fail2ban or something.

I just let them all go and hope my passwords cannot be dictionary attacked.

----------

## Ant P.

 *audiodef wrote:*   

> What is this?

 

The cesspool that is the public Internet. If you want clean logs, don't run things on any port in /etc/services with a name. You can get rid of 99% of the crap in a web server log by going HTTPS-only too.

That's obviously not security though.

If you want to actually *be* safer, do USE="-ssl" emerge openssh. After that your sshd won't be linked to OpenSSL and as a result will only know the 1 ciphersuite the OpenBSD devs put into it, which is more than enough to outsmart random skiddies knocking on the front door.

(It's also faster than the default one, with or without hardware AES, or so I've heard  :Wink: )

----------

## eccerr0r

I'm starting to get crap in my https logs too, so they're starting to catch on...

BTW yesterday I got "over 9000" (about 9400 blocked, 300 connects) SSH login attempts, so don't feel too bad.  Then again it was an exceptional day.

----------

## chiefbag

To alleviate these connection attempts you have a few options.

1: Run sshd on a non standard port

2: Use port knocking to allow access to port 22 

```
http://gentoo-en.vfose.ru/wiki/Port_Knocking
```

3: Firewall to allow only certain ip addresses via iptables.

4: Use something like Fail2ban.

```
https://wiki.gentoo.org/wiki/Fail2ban
```

Always deny password authentication and challenge response on a publicly accessible server, use public/private keys.

----------

## audiodef

 *Ant P. wrote:*   

>  *audiodef wrote:*   What is this? 
> 
> The cesspool that is the public Internet. If you want clean logs, don't run things on any port in /etc/services with a name. You can get rid of 99% of the crap in a web server log by going HTTPS-only too.
> 
> That's obviously not security though.
> ...

 

Thanks! Should I be surprised at this after recompiling?

```

/etc/init.d/sshd restart

 * Caching service dependencies ...                                                                                                                               [ ok ]

key_load_private: invalid format

key_load_public: invalid format

Could not load host key: /etc/ssh/ssh_host_rsa_key

key_load_private: invalid format

key_load_public: invalid format

Could not load host key: /etc/ssh/ssh_host_dsa_key

 * Stopping sshd ...                                                                                                                                              [ ok ]

key_load_private: invalid format

key_load_public: invalid format

Could not load host key: /etc/ssh/ssh_host_rsa_key

key_load_private: invalid format

key_load_public: invalid format

Could not load host key: /etc/ssh/ssh_host_dsa_key

 * Starting sshd ...

key_load_private: invalid format

key_load_public: invalid format

Could not load host key: /etc/ssh/ssh_host_rsa_key

key_load_private: invalid format

key_load_public: invalid format

Could not load host key: /etc/ssh/ssh_host_dsa_key 

```

EDIT:

Whoops, can't go this route. Now I'm blocked out with permission denied (publickey). I hope I can get in through my server host's panel and undo this...

Yep, sorted.

----------

## audiodef

I appreciate the replies, guys. I'll be checking out those options.   :Smile: 

----------

## eccerr0r

 *audiodef wrote:*   

> Whoops, can't go this route. Now I'm blocked out with permission denied (publickey). I hope I can get in through my server host's panel and undo this...
> 
> 

 

Once again Convenience vs Security...  I opted just to leave it open to the public so I can ssh from anywhere.

----------

## audiodef

Yeah, I need that, too. But fail2ban is looking like a good starting measure, and it's well-documented. (Meaning I probably won't have to bother you folks too much with l4m3 n00b q's.)

----------

## eccerr0r

Sorry, did not mean to call anyone out on a "n00b" question, all questions are good questions.

But it really pisses me off all these hackers around probing just about every ipv4 address for an easy hack, I'm just glad I don't pay by the byte (then again my limited bandwidth is wasted by their attacks whether my machines respond to them or not).  Makes me want to puke.  Would be nice to just use ipv6 so that the search space is almost like hitting the lottery, alas...security by obscurity is not security.

----------

## Ant P.

 *audiodef wrote:*   

> Thanks! Should I be surprised at this after recompiling?
> 
> ```
> 
> /etc/init.d/sshd restart
> ...

 

I probably should have mentioned that too, whoops. You only get ed25519 this way and anything else becomes a config error.

----------

## 1clue

fail2ban is a must-have for any public-facing service. Before I did that I literally ran out of disk space because someone was trying to brute force my sshd.

On top of that I'd implement the VPN or at least port knocking.

I'm also of the opinion that if you're hooking up through a SOHO (small office/home office) router that you're essentially crowd surfing while naked. The bad guys can see and touch everything you have.

IMO a public-facing, public-serving business needs all or most of:

fail2ban or similar.

VPN for EVERY remote-to-local access not intended to be a public service

IDS/IPS, (suricata or snort or ???).

Port knocking for anything which gives you authority to execute non-service features (shell, etc). Cryptknock looks interesting but I've never used it and the site says it's old. http://cryptknock.sourceforge.net/

A DMZ which can't initiate a connection to your internal network under any circumstances.  This would force a VPN connection for remote access to your internal site.

DMZ only contains minimal functionality needed support public-facing services.

DMZ has outbound firewall with only necessary ports open. Prevents malware on DMZ systems from being used as an attack platform. Personally I'd like to do the same with the internal network but the users complain loudly.

----------

## audiodef

 *Ant P. wrote:*   

> 
> 
> I probably should have mentioned that too, whoops. You only get ed25519 this way and anything else becomes a config error.

 

https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/

Nice, I'll look into this. Thanks.

----------

## audiodef

It's a hosted dedicated server, but the rest of your advice is much appreciated, thank you.   :Cool: 

 *1clue wrote:*   

> fail2ban is a must-have for any public-facing service. Before I did that I literally ran out of disk space because someone was trying to brute force my sshd.
> 
> On top of that I'd implement the VPN or at least port knocking.
> 
> I'm also of the opinion that if you're hooking up through a SOHO (small office/home office) router that you're essentially crowd surfing while naked. The bad guys can see and touch everything you have.
> ...

 

----------

