| 1 |
On Tuesday 04 December 2007, Grant wrote: |
| 2 |
> > >I just tried to log into my local Gentoo router/firewall system and I |
| 3 |
> > > got this: |
| 4 |
> > > |
| 5 |
> > >ssh_exchange_identification: Connection closed by remote host |
| 6 |
> > > |
| 7 |
> > >From Google, It looks like it's a problem caused by too many ssh |
| 8 |
> > >connections, but that system should only ever be logged into by me, |
| 9 |
> > >and I hadn't logged in for at least 12 hours. I checked the sshd logs |
| 10 |
> > >and they're suspiciously empty. Just a few lines per day in there. |
| 11 |
> > >Does this seem like enough to wipe the machine over? |
| 12 |
> > > |
| 13 |
> > >- Grant |
| 14 |
> > |
| 15 |
> > I don't think it is a reason to panic. |
| 16 |
> |
| 17 |
> Why not? |
| 18 |
> |
| 19 |
> > But why do you say it can be logged into by you? |
| 20 |
> |
| 21 |
> I just mean that it's my system and no one else should be in there. |
| 22 |
> |
| 23 |
> > I'm assuming you are using only ssh key (no password); do you run port |
| 24 |
> > knocking? (you should). |
| 25 |
> |
| 26 |
> I do have a password and I don't run port knocking but I'll check that out. |
| 27 |
|
| 28 |
I'm not sure if you would get some message like the one you report if you have |
| 29 |
entered an incorrect passwd and you are using pam. General rules apply here, |
| 30 |
e.g. use chkrootkit, rkhunter, lsof, etc., to see if something *obvious* is |
| 31 |
lurking in the background. Alternatively, hook up a hub on the LAN in |
| 32 |
promiscuous mode and listen into the traffic from/to this box. Within a |
| 33 |
couple of days something that shouldn't be there would probably rear its |
| 34 |
head. |
| 35 |
|
| 36 |
Assuming that you are the only legit user, that your passwd is reasonably |
| 37 |
strong (random alpha-numeric chars & symbols) and long (more than 10 should |
| 38 |
be safe enough, although the longer the better), and that you do not rotate |
| 39 |
your logs every couple of hours, you should feel relatively comfortable. |
| 40 |
That said, what do you see in the rotated logs? |
| 41 |
|
| 42 |
Besides port knocking in your future system (or this one if you are sticking |
| 43 |
with it) consider trying out fail2ban, or doing away with passwd |
| 44 |
authentication all together. Where I can, I only allow pubkey authentication |
| 45 |
and disable passwd authentication and pam. |
| 46 |
|
| 47 |
HTH. |
| 48 |
-- |
| 49 |
Regards, |
| 50 |
Mick |
Archives