1 |
On Tuesday 04 December 2007, Grant wrote: |
2 |
> > >I just tried to log into my local Gentoo router/firewall system and I |
3 |
> > > got this: |
4 |
> > > |
5 |
> > >ssh_exchange_identification: Connection closed by remote host |
6 |
> > > |
7 |
> > >From Google, It looks like it's a problem caused by too many ssh |
8 |
> > >connections, but that system should only ever be logged into by me, |
9 |
> > >and I hadn't logged in for at least 12 hours. I checked the sshd logs |
10 |
> > >and they're suspiciously empty. Just a few lines per day in there. |
11 |
> > >Does this seem like enough to wipe the machine over? |
12 |
> > > |
13 |
> > >- Grant |
14 |
> > |
15 |
> > I don't think it is a reason to panic. |
16 |
> |
17 |
> Why not? |
18 |
> |
19 |
> > But why do you say it can be logged into by you? |
20 |
> |
21 |
> I just mean that it's my system and no one else should be in there. |
22 |
> |
23 |
> > I'm assuming you are using only ssh key (no password); do you run port |
24 |
> > knocking? (you should). |
25 |
> |
26 |
> I do have a password and I don't run port knocking but I'll check that out. |
27 |
|
28 |
I'm not sure if you would get some message like the one you report if you have |
29 |
entered an incorrect passwd and you are using pam. General rules apply here, |
30 |
e.g. use chkrootkit, rkhunter, lsof, etc., to see if something *obvious* is |
31 |
lurking in the background. Alternatively, hook up a hub on the LAN in |
32 |
promiscuous mode and listen into the traffic from/to this box. Within a |
33 |
couple of days something that shouldn't be there would probably rear its |
34 |
head. |
35 |
|
36 |
Assuming that you are the only legit user, that your passwd is reasonably |
37 |
strong (random alpha-numeric chars & symbols) and long (more than 10 should |
38 |
be safe enough, although the longer the better), and that you do not rotate |
39 |
your logs every couple of hours, you should feel relatively comfortable. |
40 |
That said, what do you see in the rotated logs? |
41 |
|
42 |
Besides port knocking in your future system (or this one if you are sticking |
43 |
with it) consider trying out fail2ban, or doing away with passwd |
44 |
authentication all together. Where I can, I only allow pubkey authentication |
45 |
and disable passwd authentication and pam. |
46 |
|
47 |
HTH. |
48 |
-- |
49 |
Regards, |
50 |
Mick |