ssh attempts

Discussion in 'Tomato Firmware' started by _wb_, Dec 30, 2013.

  1. _wb_

    _wb_ Networkin' Nut Member

    Recently I added the following entry
    iptables -A shlimit -j LOG
    to my firewall to verify how many attempts to "break" in I get and I have been surprised that I get at least around 3-5 attempts everyday.

    Logs such as:
    Dec 30 05:54:03 tomato user.alert kernel: <4>IN=vlan2 OUT= MAC=xx:xx:xx:xx:.... <1>SRC= DST=xx.xx.xx.xx <1>LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=7263 DF PROTO=TCP <1>SPT=50774 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    Dec 30 05:58:46 tomato user.alert kernel: <4>IN=vlan2 OUT= MAC=xx:xx:xx:xx:.... <1>SRC= DST=xx.xx.xx.xx <1>LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=42558 PROTO=TCP <1>SPT=54460 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

    I have ssh off for most of the time unless I need to gather some info locally.

    Any advice to harden ssh to tomato besides disabling ssh remote access? Do you experience similar number of ssh attempts?
  2. darkknight93

    darkknight93 Networkin' Nut Member

    I've set my remote ssh port to something like 9922 instead of 22.
    This will avoid robots from logging in. Despite that disable password login for ssh and use key authorization instead. Tutorials can be found online
  3. _wb_

    _wb_ Networkin' Nut Member

    Well, I don't even have ssh port 22 opened at all but I still get those attempts. I did indeed disable password login and I use ssh rsa key. Thanks
  4. darkknight93

    darkknight93 Networkin' Nut Member

    You have set "Remote Access" unter SSH Daemon to off?

    Then These logfiles just Show "pakets" with Destination port 22 and no real Logins are made on ssh - so its safe

    there are many robots outside scanning whole ip subnets for open ssh ports and try root/root as Password e.g.
  5. koitsu

    koitsu Network Guru Member

    An easier answer is this: there are systems online which are basically portscanning and service-scanning the entire Internet constantly. Port 22, port 3389, port 25, port 23, and port 80 are common ones, but the scans aren't limited to that any longer, because some people have distributed scanning systems (think DDoS but instead of saturating a network link they're using all the systems to scan port ranges) that will hit ports 1-65535. You will always see this, and there is nothing you can do about it. It's just the day we live in now; the Internet did not used to be this way. My recommendation is to cease your OCD logging. :)
  6. _wb_

    _wb_ Networkin' Nut Member

    Thanks. I disabled those logs.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice