 Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
Bill Vermillion wrote:
> In article <47E6160C.7080405@att.net>,
> Steve M. Fabac, Jr. <smfabac@att.net> wrote:
>> I have a client running SCO 5.0.5 with OpenSSH 3.4p1
>> installed.
>
>> Since SSH was installed, we have been getting hits from
>> people on the Internet scanning port 22.
>
>> Normally they give up and go away. However, I have noticed
>> an unusual number of scans from foreign IP addresses using
>> valid names on the system (the names below in the block for
>> a single source IP are the *only* names logged from that
>> IP):
>
> .....
>
>> Anybody have any ideas, thoughts or comments on this?
>
> I've seen as high as 10,000 such attemts per day - but these are
> on mail and web servers directly connected to a tier 1 backbone
> [level 3] in their Orlando colo. They actually switch [not route]
> connections across the US so I can see 1 hop from Orlando to
> Seattle - that's one reason they carry about 60% of the 'net
> traffic.
>
> But as Nico said in his reply to you, you really shouldn't put SCO
> on a directly connected internet.
>
> IMO the ONLY machines that should be do so would be machines
> that MUST be connected - eg mail servers and web servers. All
> other machines should be behind a firewall.
>
> Ideally 3 NIC cards connected to SWITCHES not hubs, would
> have a public access IP, and those sould connect to the second set
> [A DMZ area] with such things as your web servers, and the 3rd
> NIC would go to your business machines on a totally private network
> so nothing from the outside world would ever get through.
>
> It's easy and cheap to set up a separate mail/web server
> and keep you important machines hidden. I run on FreeBSD since
> swithcing an ISP from SGIs back in 1995 and it can run on a slim
> machine and is awfully solid.
>
> If you think you are seeing a lot of attacks, just wait - they get
> more numerous as time goes by.
True. And in further thinking about this, I'd counsel doing something to
reduce the number of spurious logs to deal with. Switching the SSH port to,
say, 1022 and making sure there are no other services on it would help reduce
the logging of such attempts, and leave much less debris in your logs.
 |