Did Not receive identification string from xxx.xxx.xxx.xxx

Hello.

I was checking my /var/log/messages this morning and found two strings
with the above format i.e: -

Did not receive identification from 61.152.223.195
Did not receive identification string from 222.242.199.132

Both are appearing as entries for sshd. I have enabled ssh and port 22
is opened.

What does this mean?


-- 
gakiimurerwa
------------------------------------------------------------------------



0
gakiimurerwa
5/16/2008 8:56:02 AM
novell.sles.configure 3559 articles. 1 followers. Follow

4 Replies
3957 Views

Similar Articles

[PageSpeed] 20
Get it on Google Play
Get it on Apple App Store

On Fri, 16 May 2008 08:56:02 +0000, gakiimurerwa wrote:

> 
> Hello.
> 
> I was checking my /var/log/messages this morning and found two strings
> with the above format i.e: -
> 
> Did not receive identification from 61.152.223.195 Did not receive
> identification string from 222.242.199.132
> 
> Both are appearing as entries for sshd. I have enabled ssh and port 22 is
> opened.
> 
> What does this mean?

Probably that port 22 is getting probed by script kiddies.  Something is
opening a connection and then not actually speaking SSH properly.  
You may well see loads of "invalid user" messages from ssh too.

Steps to remedy
1) Close port 22 from the outside if possible
2) If not, then make sure you have very strong passwords for all users
3) Maybe think about changing the post the sshd listens on to avoid the
script kiddies.

HTH

-- 
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...

0
markr
5/16/2008 11:28:57 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can also disable password-based logins and only accept Public Key
encryption for authentication which gets around password issues
entirely.  As a general rule it's good practice to disable Protocol 1
(SSH defaults to 2, but I disable 1 anyway as it isn't necessary and is
a weak point if ever used) and also disable 'root' logins directly.
Anybody needing 'root' via SSH can SSH in as a regular user and then
become 'root'.  In the meantime attackers have to guess both a username
and a password since otherwise the username 'root' is known on a
Linux/Unix machine.

In your case if a password had been tried you'd see lines like the
following:

May 16 12:45:08 mylaptop sshd[24036]: error: PAM: Authentication failure
for <user> from <remotebox>

Good luck.





markr wrote:
| On Fri, 16 May 2008 08:56:02 +0000, gakiimurerwa wrote:
|
|> Hello.
|>
|> I was checking my /var/log/messages this morning and found two strings
|> with the above format i.e: -
|>
|> Did not receive identification from 61.152.223.195 Did not receive
|> identification string from 222.242.199.132
|>
|> Both are appearing as entries for sshd. I have enabled ssh and port 22 is
|> opened.
|>
|> What does this mean?
|
| Probably that port 22 is getting probed by script kiddies.  Something is
| opening a connection and then not actually speaking SSH properly.
| You may well see loads of "invalid user" messages from ssh too.
|
| Steps to remedy
| 1) Close port 22 from the outside if possible
| 2) If not, then make sure you have very strong passwords for all users
| 3) Maybe think about changing the post the sshd listens on to avoid the
| script kiddies.
|
| HTH
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFILYIf3s42bA80+9kRAspgAJ91Yx/hRaPKaFv7ZLO34ZPqr2Y29ACeOSEh
efY9WiVT9KOIaZNO9ZjohHs=
=aOwj
-----END PGP SIGNATURE-----
0
ab
5/16/2008 12:46:25 PM
I disconnected the Machine from the networked, changed the root
password, stopped sshd and removed it from being started on boot and
closed port 22 on external interface. Hope this is going to chase away
whoever was trying to get into my system. Also going through logs and
files to see if anything might have changed.

Thanks for the good responses.


-- 
gakiimurerwa
------------------------------------------------------------------------
gakiimurerwa's Profile: http://forums.novell.com/member.php?userid=4069
View this thread: http://forums.novell.com/showthread.php?t=328202

0
gakiimurerwa
5/17/2008 8:36:02 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sounds good.  Keep in mind that if the logs were not tampered with then
whomever may have been scanning didn't do anything more than open a TCP
session with the server so at that point it may have just been an
information-gathering exercise.  They also may have been looking for
something else specifically as there are easier protocols (and systems)
to break than SSH.  If you are really interested in watching your *nix
system 24x7 perhaps consider setting up a syslog server which receives
logs from all your other boxes in realtime.  This one server, then, can
be setup to do some monitoring of the events or can be easily searched
for notable events to be sent on to a security administrator.  Having
that one server also means if the logs are modified on the hacked server
another bit of work still needs to be done to get rid of all the logs on
the central syslog server.  It gets into another realm and it's a fun
one to work in.  For the security-requiring there are also products to
expand on this and give you realtime alerts, graphs, reports, etc. such
as Novell Sentinel.

Good luck.





gakiimurerwa wrote:
| I disconnected the Machine from the networked, changed the root
| password, stopped sshd and removed it from being started on boot and
| closed port 22 on external interface. Hope this is going to chase away
| whoever was trying to get into my system. Also going through logs and
| files to see if anything might have changed.
|
| Thanks for the good responses.
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIL6Mc3s42bA80+9kRAmvtAJ40kzNSy748W1aEakiD7y2yovs2IQCghsUc
nRNG3X4jo4tl5mPUkJQ7ncc=
=j2r2
-----END PGP SIGNATURE-----
0
ab
5/18/2008 3:31:42 AM
Reply:

Similar Artilces:

Tarpitting active for xxx.xxx.xxx.xxx ??
Sending email to a particular domain is giving me a message on GWIA "DMN: Send Failure: 421 4.0.0 Tarpitting active for [xxx.xxx.xxx.xxx]" where xxx.xxx.xxx.xxx is the public IP of my GWIA. What is this? I see some references on the Internet to tarpitting intended as a form of mailbomb protection if you're trying to send to tons of recepients at a particular mail server/domain, but my message only listed 4 recepients. James JJB wrote: > What is this? > > I see some references on the Internet to tarpitting intended as a form of > mailbomb prot...

Received a Decline packet for address xxx.xxx.xxx.xxx
I get these errors every once in a while Received a Decline packet for address... Today I noticed that the IP address it has listed was being used (DHCP) earlier, but the person using that machine has rebooted so it grabbed a new IP. Now that machine is holding 2 IP addresses, one Dynamic (in use) and the other one is marked Unathorized by the DNS/DHCP client. For some reason DHCP is holding onto that IP address for the machine even though it's not using it. I wanted to manually release it, but the only option I could see was "Delete" and that doesn't sound good. I ...

request for authentication with xxx.xxx.xxx.xxx:631/ipp
When I use the xxx.xxx.xxx.xxx:631/ipp tool to install a printer or to install the ipp client, I get a request to authenticate. To authenticate, I have to use the full user context identification ie. efarmer.mt.mvctc. Ironically, if I cancel the authentication--do no authentication-- I can still do the same updates, no problem. Is there a way to not have the request for authentication come up? If not, is there a way to have contextless login? Ed There is no way currently to use contextless login with iprint. As far as authenticating on port 631, there should...

Someone on address xxx.xxx.xxx.xxx wants to send ICMP packet to your machine?
application tcpip.kernal driver Anyone know what this is? the IP address resolves to serial1-10.xxx.xxxx.alter.net. I keep getting the same request over and over again Thanks SE "Lawrence Baldwin" <baldwinL@mynetwatchman.com> wrote in message news:a6o8pu$259o$1@news.grc.com... > Given that the source is a UUnet router, this could be the root cause: > http://www.mynetwatchman.com/kb/security/backscat.htm > "SE" <watertoo@hotmail.com> wrote in message > news:a6m3uv$2sa4$1@news.grc.com... > > application tcpip.kernal dri...

IP alerts in ZAP for 216.xxx.xxx.xxx
Hi I have been getting a lot of alerts from IP's begining with the IP 216. It always appears to try and get in on port 80. These have been happening at an interval of about every 5 to 10 min. The rest of the IP number after 216 is different but some are the same. this has been happening for several days now Is there any need to worry about this?? Thanks in advance Examples The firewall has blocked Internet access to your computer (HTTP) from 216.214.141.171 (TCP Port 2535) [TCP Flags: S]. Time: 8/10/2001 9:14:30 AM The firewall has blocked Internet access to your computer...

use of Inherits="xxx.xxx.xxx"
Can someone please tell me the exact use of Inherits word used in the page level directive? example, <%@ Page language="c#" Codebehind="default_new.aspx.cs" AutoEventWireup="false" Inherits="myapp.default_new" %> thanks in advancefeed the creative machine Hi, taken from this url: @ Page I found this: Inherits Defines a code-behind class for the page to inherit. This can be any class derived from the Page class. For information about code-behind classes, see Web Forms Code Model. Grz, Kris.Read my blog. H...

Receive a decline packet for address xxx.xxx.xxx.xxxt/unauthorized assignment type
Hi, I am running netware 5.1 sp7 and dhcpsrvr 313c and this is the dilemma: I am receiving decline packets on the dhcp server console and the addresses that are showing up are in the dhcp console with an assignment type of Unauthorized. If I check through the IP range the machine that holds the Unauthorized assignment type will have more than one IP address listed for each machine that is reporting this error. I tried TID 10014757 and had the SET UNAUTHORIZED IP SCAN INTERVAL =1. That released the IP's back to dynamic so I changed it to =8 so that it would have less impact on the netw...

NTP server error.
Just switched all our servers over from timesync to ntp. I have setup 2 servers, one on each side of a wan link to get time from the internet and also be peer to peer with each other. I get the following error on the one. - peer authentication failure Unable to take time from the server xxx.xxx.xxx.xxx as the keys are not matching. Ensure that you have the right keys I looked for the error, but couldn't find it. Any ideas here? Thanks Bill Hmmm, I didn't think NTP required any form of authentication or used keys at all. In any case you might run sdidiag an...

SM does not get rid of xxx.msf or xxx.dat on unsubscribing from xxx?
When I unsubscribe from a newsgroup xxx, why does SM not get rid of the xxx.msf or xxx.dat files in the pppppppp/News/{server} folder. Rostyslaw Lewyckyj wrote: > When I unsubscribe from a newsgroup xxx, why does SM not get rid of > the xxx.msf or xxx.dat files in the pppppppp/News/{server} folder. Built in. In case you want to re-subscribe. You can delete them if you wish Moz Champion (Dan) wrote: > Rostyslaw Lewyckyj wrote: >> When I unsubscribe from a newsgroup xxx, why does SM not get rid of >> the xxx.msf or xxx.dat files in the pppppppp/News/{server} f...

What about 169.254.xxx.xxx ?
Steve, Thought you might like to add to the web pages somewhere that Microsoft Windows' single desktops that aren't already in a Network often "autoconfig" their LAN cards to: 169.254.xxx.xxx at bootup! Any idea why they do that? I looked it up at IANA, and it comes back as: =========================================== NetRange: 169.254.0.0 - 169.254.255.255 CIDR: 169.254.0.0/16 NetName: LINKLOCAL NetHandle: NET-169-254-0-0-1 Parent: NET-169-0-0-0-0 NetType: IANA Special Use NameServer: BLACKHOLE-1.IANA.ORG NameServer: BLACKHOLE-2.IA...

xxx
-- xxx ...

xxx
Name: bobeunige Email: Lodecoormatgmaildotcom Product: eBay Companion Summary: xxx Comments: xxx interacial cunt <a href=http://mstrbate.com>anal</a> teen pussy xxx From URL: http://en-GB.www.mozilla.com/en-GB/add-ons/ebay/feedback/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

xxx
Name: Product: Firefox Release Candidate Summary: xxx Comments: Best Firefox yet. Opens much much quicker. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

xxx
Name: Dzeen Email: hicksichatmaildotru Product: Firefox Summary: xxx Comments: фаерфокс реально жжот. крутой бровсер) Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ...