f



Strange ssh 'attacks?'

I am getting whole masses of lines like the following
in my ssh logs on a Mageia Linux machine. What do they mean? How can I
get rid of them?

sshd[1908]: Received disconnect from 116.31.116.33: 11:  [preauth]
sshd[1958]: Could not write ident string to 116.31.116.33

(there are more of the first than the second.)


0
William
9/8/2016 2:36:21 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

3 Replies
495 Views

Similar Articles

[PageSpeed] 44

with <nqrt15$lcj$1@dont-email.me> William Unruh wrote:

> I am getting whole masses of lines like the following in my ssh logs
> on a Mageia Linux machine. What do they mean?
>
> sshd[1908]: Received disconnect from 116.31.116.33: 11:  [preauth]
> sshd[1958]: Could not write ident string to 116.31.116.33
>
> (there are more of the first than the second.)

Script-kiddie (if any left, or NSA, or Chinese, or Russians, or whoever)
is looking for smtpd, httpd, telnetd or whatever daemon that you
(supposedly, deliberately) put on port 22 (or whatever port you
deliberately put sshd).  However it finds sshd entry sequence instead
and promptly disconnects.

[*REORDERED*]
> How can I get rid of them?

Well, block incoming connections?  If you can't block then patch sshd
(and rebuild) to not log them.

-- 
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom
0
Eric
9/10/2016 11:39:32 AM
Eric Pozharski <whynot@pozharski.name> writes:
> with <nqrt15$lcj$1@dont-email.me> William Unruh wrote:
>> I am getting whole masses of lines like the following in my ssh logs
>> on a Mageia Linux machine. What do they mean?
>>
>> sshd[1908]: Received disconnect from 116.31.116.33: 11:  [preauth]
>> sshd[1958]: Could not write ident string to 116.31.116.33
>>
>> (there are more of the first than the second.)
>
> Script-kiddie (if any left, or NSA, or Chinese, or Russians, or whoever)
> is looking for smtpd, httpd, telnetd or whatever daemon that you
> (supposedly, deliberately) put on port 22 (or whatever port you
> deliberately put sshd).  However it finds sshd entry sequence instead
> and promptly disconnects.

No, it does not find the sshd ‘entry sequence’.  The diagnostic
indicates that it wasn’t even written successfully, so the peer can’t
have seen it.

-- 
http://www.greenend.org.uk/rjk/
0
Richard
9/10/2016 6:03:35 PM
On 2016-09-10, Richard Kettlewell <invalid@invalid.invalid> wrote:
> Eric Pozharski <whynot@pozharski.name> writes:
>> with <nqrt15$lcj$1@dont-email.me> William Unruh wrote:
>>> I am getting whole masses of lines like the following in my ssh logs
>>> on a Mageia Linux machine. What do they mean?
>>>
>>> sshd[1908]: Received disconnect from 116.31.116.33: 11:  [preauth]
>>> sshd[1958]: Could not write ident string to 116.31.116.33
>>>
>>> (there are more of the first than the second.)
>>
>> Script-kiddie (if any left, or NSA, or Chinese, or Russians, or whoever)
>> is looking for smtpd, httpd, telnetd or whatever daemon that you
>> (supposedly, deliberately) put on port 22 (or whatever port you
>> deliberately put sshd).  However it finds sshd entry sequence instead
>> and promptly disconnects.

Hm. OK, I have sshd listening on both port 22 and port 80 (too many
people firewall port 22 outgoing,  and d that machine does not have
httpd runnning) . So this could
be someone trying to see what they can see on port 80.
Thanks.

>
> No, it does not find the sshd ???entry sequence???.  The diagnostic
> indicates that it wasn???t even written successfully, so the peer can???t
> have seen it.
>
0
William
9/10/2016 10:17:25 PM
Reply: