subject:"ssh connection"

On 8/21/12 8:20 AM, lina wrote:
> On Tuesday 21,August,2012 02:52 AM, Joe wrote:
>> On Mon, 20 Aug 2012 23:56:42 +0800
>> lina  wrote:
>>
>>> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
 On 20.08.2012 18:38, lina wrote:
>>> How do I know who has this IP address? why s/he didn't change?
>>>
>>> You probably don't. I don't understand this second question.
> The second question is that for those days, the attacker should
> think of renew its ip address. not from the same one.

 But we don't know is the attacker a person or a program, which is
 running without knowledge of the owner of computer.
>>> Yes, it's more like a program. but the owner in this long period has
>>> never shutdown the computer, just a bit surprised that it keeps the
>>> same ip address.
>>>

>>>
>>>
>>
>> A DHCP client will normally remember its IP address, even if the lease
>> has expired, and on the next connection will request it again. If the
>> server hasn't issued it to anyone else, it will normally comply with the
>> request. Both server and client can be configured not to do this, but
>> in a Windows network it will probably happen to avoid too much need for
>> scavenging out-of-date DNS records. Assuming the link between DNS and
>> DHCP has been set up properly.
>>
>> Or it may be a configured reservation in the DHCP server i.e. some form
>> of server itself. Or the client can be explicitly configured to request
>> that address, when it is available, but there's very little reason to
>> do that when a reservation is a guaranteed method.
>>
>> Even if the attacker in this case is a human, it may be difficult or
>> impossible to override the network policies. Configuration of
>> networking is limited to people with admin credentials, unprivileged
>> users cannot even issue a DHCP renewal request other than by rebooting
>> the machine.
>>
>> The quick answer here is to try: host , which will turn up
>> the hostname of the offending machine if the local DNS server is
>> properly set up. Or to at least gain the MAC address of the machine, try
>> inserting an iptables rule on your machine to log incoming ssh
>> connections.
> $ host 172.21.48.161
> Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN)
> 
> Nmap scan report for 172.21.48.161
> Host is up (0.0021s latency).
> Not shown: 991 filtered ports
> PORT  STATE SERVICE
> 80/tcpopen  http
> 135/tcp   open  msrpc
> 139/tcp   open  netbios-ssn
> 443/tcp   open  https
> 445/tcp   open  microsoft-ds
> 515/tcp   open  printer
> 3389/tcp  open  ms-wbt-server
> 5357/tcp  open  wsdapi
> 49154/tcp open  unknown
> 
> Thanks, I have drop it in the iptables.
[snip]

In general RETURN is more useful than DROP when you have the choice.

http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

But since it is a local machine causing the problem, it should be
possible to go through the network administrator and contact the owner
of the offending machine directly.

Regards,
/Lars


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50332dd8.5040...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Tuesday 21,August,2012 03:12 AM, unruh wrote:
> Everyone suffers these attacks. They are simply part of a toolset which
> crackers use to try to gain entry into Linux machines. As long as you
> have good passwords do not worry. You will also suffer attacks on
> various Windows ports. 
> 
> If you want you can use /etc/hosts.allow to  weed out outside machines
> that try these attacks, eitehr manually or with programs. 
> 
> You cannot hide your IP or noone in the world could ever ssh into your
> system, making ssh useless for your users. 
> Also  your attacks appear to be local attacks--
> Ie from someone on you own network. They know who you are. 

That's why I am a bit scared. And sometimes I received "unknown" calls,
when I answered, no sounds. a bit scary.

I disliked so much that the one who is in charge of the place asked our
phone number and put all our contact info. on table in front of the door
window. The good excuses was that if there is a fire, someone could find
our contact information easily, damn, if there is a fire, this paper
will burn out before s/he can read.
> 
> 
> 
> In linux.debian.user, you wrote:
>> On Monday 20,August,2012 11:21 PM, Darac Marjal wrote:
>>> On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote:
 On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
> On 20.08.2012 17:02, lina wrote:
>> On Monday 20,August,2012 09:59 PM, lina wrote:
 Hi,

 I ssh to a server which has 400+ users, active ones around
 100.

 Frankly speaking, I would feel comfortable to hide my IP if
 possible,

 any suggestions (I checked the spoof, but seems not positive),

 Thanks with best regards,


>> Another question, how do I know whether there are some people are 
>> attempting to invade my laptop, my username, ip are all exposed
>> there.
>
> If you have SSHd and that is what you are worried about, grep ssh from
> /var/log/auth.log .

 BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
 one.
>>>
>>> You need to ask, not "what is", but "who is". More specifically:
>>>
>>> $ whois 172.21.48.161
>>> [...]
>>> NetRange:   172.16.0.0 - 172.31.255.255
>>> CIDR:   172.16.0.0/12
>>> OriginAS:
>>> NetName:PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
>>> NetHandle:  NET-172-16-0-0-1
>>> Parent: NET-172-0-0-0-0
>>> NetType:IANA Special Use
>>> [...]
>>>
>>> In other words, it's someone else on your network.
>>
>> So I am under regular attacks recently, very gentle attack, only tried
>> few times each day?
>>
>> How do I know who has this IP address? why s/he didn't change?
> 
> It is someone on your own network. If yo uare at a University it is
> someone there. Find out from the network people who has that IP. But it
> is highly probably that they ahve no idea that they are launching those
> attacks because their windows machine has had attack software installed
> on it after their systems were broken. 
Those desktop here only administrator and staff has the privilege to
install the software on it.
> 
> 
>>
>> unbelievable, hope I am wrong here.
> 
> About what? You are an administrator and just discovering that these
> kinds of attack take place regularly?

I felt I made some mistakes before, like put the public keys from those
servers into my own laptop, just for the convinence of connection.
I am on my way correcting my mistakes.
> 
> 
>>
>> Best regards,

Best regards,
>>>
>>> [cut]

 Thanks again,

 Best regards,


> I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
>
> And you might also want to install something like SSHGuard (package
> sshguard) to protect your SSHd and other services, which it protects
> from attackers. http://www.sshguard.net/
>
>


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50331f1e.1090...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Tuesday 21,August,2012 02:52 AM, Joe wrote:
> On Mon, 20 Aug 2012 23:56:42 +0800
> lina  wrote:
> 
>> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
>>> On 20.08.2012 18:38, lina wrote:
>> How do I know who has this IP address? why s/he didn't change?
>>
>> You probably don't. I don't understand this second question.
 The second question is that for those days, the attacker should
 think of renew its ip address. not from the same one.
>>>
>>> But we don't know is the attacker a person or a program, which is
>>> running without knowledge of the owner of computer.
>> Yes, it's more like a program. but the owner in this long period has
>> never shutdown the computer, just a bit surprised that it keeps the
>> same ip address.
>>
>>>
>>
>>
> 
> A DHCP client will normally remember its IP address, even if the lease
> has expired, and on the next connection will request it again. If the
> server hasn't issued it to anyone else, it will normally comply with the
> request. Both server and client can be configured not to do this, but
> in a Windows network it will probably happen to avoid too much need for
> scavenging out-of-date DNS records. Assuming the link between DNS and
> DHCP has been set up properly.
> 
> Or it may be a configured reservation in the DHCP server i.e. some form
> of server itself. Or the client can be explicitly configured to request
> that address, when it is available, but there's very little reason to
> do that when a reservation is a guaranteed method.
> 
> Even if the attacker in this case is a human, it may be difficult or
> impossible to override the network policies. Configuration of
> networking is limited to people with admin credentials, unprivileged
> users cannot even issue a DHCP renewal request other than by rebooting
> the machine.
> 
> The quick answer here is to try: host , which will turn up
> the hostname of the offending machine if the local DNS server is
> properly set up. Or to at least gain the MAC address of the machine, try
> inserting an iptables rule on your machine to log incoming ssh
> connections.
$ host 172.21.48.161
Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN)

Nmap scan report for 172.21.48.161
Host is up (0.0021s latency).
Not shown: 991 filtered ports
PORT  STATE SERVICE
80/tcpopen  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
515/tcp   open  printer
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
49154/tcp open  unknown

Thanks, I have drop it in the iptables.

> 
> e.g in your INPUT chain, just before the ssh -j ACCEPT command:
> 
> iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> --log-prefix "SSH IN:"
> 
> which will normally log to syslog and also /var/log/debug. I'd have
> thought the network admin would keep a list of MAC addresses on the
> network. If fact, the easiest answer of all is for the admin to look at
> the DHCP and DNS server records.
> 
> Or there are programs which will scan the network for hostnames, MAC
> addresses and open ports, but I couldn't possibly suggest the use of
> such software, which may well be a hanging offence in some places. On
> the other hand, they're harbouring an ssh worm...
> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50331a9a.2080...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 21:45 +0200, Ralf Mardorf wrote:
> On Mon, 2012-08-20 at 22:22 +0300, Lars Noodén wrote:
> > On 8/20/12 10:18 PM, Ralf Mardorf wrote:> On Mon, 2012-08-20 at 22:08
> > [snip]
> > > I thought using tor was a joke :( or a hint, that too much security at
> > > some point really is too much. I don't have much knowledge about the
> > > Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
> > > Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
> > > just for surfing the web. It's not usable for serious work.
> > >
> > Tor is intended for privacy, not security, and fulfills that reasonably
> > well when used for web browsing.  I'm not sure though of a use-case for
> > combining it with SSH beyond the obvious 'because I can'
> 
> I experienced tor as to slow, just for using it with a browser, a long
> time ago. It might be faster today. Off-list, somebody with perhaps some
> knowledge, mentioned "to slow" too, regarding to the usage that is
> wanted in this case.

PS:

Perhaps an expert is that kind, to give a serious answer, to avoid that
Lina set up something useless or to confirm, that in this case, it is
useful.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345492700.1285.91.camel@localhost.localdomain

Re: [OT] Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 22:22 +0300, Lars Noodén wrote:
> On 8/20/12 10:18 PM, Ralf Mardorf wrote:> On Mon, 2012-08-20 at 22:08
> [snip]
> > I thought using tor was a joke :( or a hint, that too much security at
> > some point really is too much. I don't have much knowledge about the
> > Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
> > Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
> > just for surfing the web. It's not usable for serious work.
> >
> Tor is intended for privacy, not security, and fulfills that reasonably
> well when used for web browsing.  I'm not sure though of a use-case for
> combining it with SSH beyond the obvious 'because I can'

I experienced tor as to slow, just for using it with a browser, a long
time ago. It might be faster today. Off-list, somebody with perhaps some
knowledge, mentioned "to slow" too, regarding to the usage that is
wanted in this case.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345491940.1285.88.camel@localhost.localdomain

Re: [OT] Is it possible to hide the ip in ssh connection

On 8/20/12 10:18 PM, Ralf Mardorf wrote:> On Mon, 2012-08-20 at 22:08
[snip]
> I thought using tor was a joke :( or a hint, that too much security at
> some point really is too much. I don't have much knowledge about the
> Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
> Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
> just for surfing the web. It's not usable for serious work.
>
Tor is intended for privacy, not security, and fulfills that reasonably
well when used for web browsing.  I'm not sure though of a use-case for
combining it with SSH beyond the obvious 'because I can'

Regards,
/Lars


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50328e89.7040...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 22:08 +0300, Lars Noodén wrote:
> On 8/20/12 7:27 PM, lina wrote:
> > On Monday 20,August,2012 11:15 PM, Lars Noodén wrote:
> >> It looks like it is possible to use Tor as a proxy:
> >>
> >> http://www.howtoforge.com/anonymous-ssh-sessions-with-tor
> >>
> >> If this document is correct, it is very easy to set up.  That would
> >> obfuscate the ip number you are connecting from by adding a jump in the
> >> middle.  The target server would only see that last step.
> > 
> > I followed the instruction from link, but during connection it showed me:
> > 
> > [warn] Got SOCKS5 status response '4': host is unreachable
> > /bin/bash: line 0: exec: connect: not found
> > ssh_exchange_identification: Connection closed by remote host
> [snip]
> 
> The package connect-proxy contains the utility connect.  That has to be
> installed.  You might also consider using Vidalia to manage Tor.
> 
> Regards,
> /Lars

I thought using tor was a joke :( or a hint, that too much security at
some point really is too much. I don't have much knowledge about the
Internet, but I'm sure tor in this case (IMO in any case) is idiotic.
Sorry. I used tor myself, around the time of Suse 9.0 or 10.0?! dunno,
just for surfing the web. It's not usable for serious work.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345490303.1285.78.camel@localhost.localdomain

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread John

On 20/08/12, Joe (j...@jretrading.com) wrote:
> On Mon, 20 Aug 2012 23:56:42 +0800
> lina  wrote:
> > On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> ...
> e.g in your INPUT chain, just before the ssh -j ACCEPT command:
> 
> iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> --log-prefix "SSH IN:"

Or just add the intruder's address in place of xxx.etc in
/etc/init.d/iptables.rules:

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

Works only for the one, of course.

-- 
johnrchamp...@wowway.com

GPG key 1024D/99421A63 2005-01-05
EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63
gpg --keyserver subkeys.pgp.net --recv-keys 99421A63


signature.asc
Description: Digital signature

Re: [OT] Is it possible to hide the ip in ssh connection

On 8/20/12 7:27 PM, lina wrote:
> On Monday 20,August,2012 11:15 PM, Lars Noodén wrote:
>> It looks like it is possible to use Tor as a proxy:
>>
>> http://www.howtoforge.com/anonymous-ssh-sessions-with-tor
>>
>> If this document is correct, it is very easy to set up.  That would
>> obfuscate the ip number you are connecting from by adding a jump in the
>> middle.  The target server would only see that last step.
> 
> I followed the instruction from link, but during connection it showed me:
> 
> [warn] Got SOCKS5 status response '4': host is unreachable
> /bin/bash: line 0: exec: connect: not found
> ssh_exchange_identification: Connection closed by remote host
[snip]

The package connect-proxy contains the utility connect.  That has to be
installed.  You might also consider using Vidalia to manage Tor.

Regards,
/Lars


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50328b41.9010...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread Joe

On Mon, 20 Aug 2012 23:56:42 +0800
lina  wrote:

> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:38, lina wrote:
>  How do I know who has this IP address? why s/he didn't change?
> 
>  You probably don't. I don't understand this second question.
> >> The second question is that for those days, the attacker should
> >> think of renew its ip address. not from the same one.
> > 
> > But we don't know is the attacker a person or a program, which is
> > running without knowledge of the owner of computer.
> Yes, it's more like a program. but the owner in this long period has
> never shutdown the computer, just a bit surprised that it keeps the
> same ip address.
> 
> > 
> 
> 

A DHCP client will normally remember its IP address, even if the lease
has expired, and on the next connection will request it again. If the
server hasn't issued it to anyone else, it will normally comply with the
request. Both server and client can be configured not to do this, but
in a Windows network it will probably happen to avoid too much need for
scavenging out-of-date DNS records. Assuming the link between DNS and
DHCP has been set up properly.

Or it may be a configured reservation in the DHCP server i.e. some form
of server itself. Or the client can be explicitly configured to request
that address, when it is available, but there's very little reason to
do that when a reservation is a guaranteed method.

Even if the attacker in this case is a human, it may be difficult or
impossible to override the network policies. Configuration of
networking is limited to people with admin credentials, unprivileged
users cannot even issue a DHCP renewal request other than by rebooting
the machine.

The quick answer here is to try: host , which will turn up
the hostname of the offending machine if the local DNS server is
properly set up. Or to at least gain the MAC address of the machine, try
inserting an iptables rule on your machine to log incoming ssh
connections.

e.g in your INPUT chain, just before the ssh -j ACCEPT command:

iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
--log-prefix "SSH IN:"

which will normally log to syslog and also /var/log/debug. I'd have
thought the network admin would keep a list of MAC addresses on the
network. If fact, the easiest answer of all is for the admin to look at
the DHCP and DNS server records.

Or there are programs which will scan the network for hostnames, MAC
addresses and open ports, but I couldn't possibly suggest the use of
such software, which may well be a hanging offence in some places. On
the other hand, they're harbouring an ssh worm...

-- 
Joe

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120820195214.3d2db...@jretrading.com

Re: [OT] Is it possible to hide the ip in ssh connection

Now I read some more mails of this thread.

It's not surprising that everybody connected to the Internet is
attacked. "authentication failure" doesn't lead to a serious issue, but
vice versa it says the attacks were useless. And I'm sure, they will be
useless in the future too.

Lina, perhaps you are "oversensitive". Understandable, but less good for
your blood pressure ;).

Sometimes "less is more".

I know at least one person who forced "auto-logout" for root terminal
sessions, if root didn't use the terminal for a minute ;).

Such thoughts aren't "paranoid", but they IMHO are "oversensitive".

2 Cents,
Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345487641.1285.71.camel@localhost.localdomain

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:15 PM, Lars Noodén wrote:
> It looks like it is possible to use Tor as a proxy:
> 
> http://www.howtoforge.com/anonymous-ssh-sessions-with-tor
> 
> If this document is correct, it is very easy to set up.  That would
> obfuscate the ip number you are connecting from by adding a jump in the
> middle.  The target server would only see that last step.

I followed the instruction from link, but during connection it showed me:

[warn] Got SOCKS5 status response '4': host is unreachable
/bin/bash: line 0: exec: connect: not found
ssh_exchange_identification: Connection closed by remote host

kinda of tricky?
> 
> Regards,
> /Lars
> 
> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5032656f.20...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 23:56 +0800, lina wrote:
> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:38, lina wrote:
>  How do I know who has this IP address? why s/he didn't change?
> 
>  You probably don't. I don't understand this second question.
> >> The second question is that for those days, the attacker should
> >> think of renew its ip address. not from the same one.
> > 
> > But we don't know is the attacker a person or a program, which is
> > running without knowledge of the owner of computer.
> Yes, it's more like a program. but the owner in this long period has
> never shutdown the computer, just a bit surprised that it keeps the same
> ip address.

I didn't follow the thread. I recommend to use some network protocol
analyzer, OTOH such software can become an additional security risk,
e.g. http://wiki.wireshark.org/Security



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345482629.1285.56.camel@localhost.localdomain

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread Lisi

On Monday 20 August 2012 16:56:42 lina wrote:
> just a bit surprised that it keeps the same
> ip address.

Why?

Lisi


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201208201757.27158.lisi.re...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread Gaël DONVAL

Le lundi 20 août 2012 à 23:38 +0800, lina a écrit :
> On Monday 20,August,2012 11:35 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:31, lina wrote:
> >> So I am under regular attacks recently, very gentle attack, only
> >> tried few times each day?
Too few attempts, none succeeded. Something on your network might be
misconfigured. If you really want to be safe with ssh, be sure root
login is disable, switch to certificate based authentication and disable
password authentication.
 
> >> How do I know who has this IP address?
Is that on a personal network? Can you access your router logs?

> The second question is that for those days, the attacker should think of
> renew its ip address. not from the same one.
Not necessarily: my router for instance associates IP addresses with MAC
addresses in a static way.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1345481319.4593.116.ca...@p76-nom-gd.cnrs-imn.fr

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> On 20.08.2012 18:38, lina wrote:
 How do I know who has this IP address? why s/he didn't change?

 You probably don't. I don't understand this second question.
>> The second question is that for those days, the attacker should
>> think of renew its ip address. not from the same one.
> 
> But we don't know is the attacker a person or a program, which is
> running without knowledge of the owner of computer.
Yes, it's more like a program. but the owner in this long period has
never shutdown the computer, just a bit surprised that it keeps the same
ip address.

> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50325e3a.2010...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 20.08.2012 18:38, lina wrote:
>>> How do I know who has this IP address? why s/he didn't change?
>>> 
>>> You probably don't. I don't understand this second question.
> The second question is that for those days, the attacker should
> think of renew its ip address. not from the same one.

But we don't know is the attacker a person or a program, which is
running without knowledge of the owner of computer.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMlulAAoJEE21PP6CpGcohZ0QAMcDK3UsVBR6/+gfapARZ8Ha
+L3IwGJ7AswTCK5Us8JLzRFZfjRq9xuXnOJDXnv6yJqU2yZ1iPlHUl8m/qBfQmiO
MFksArOyfqveH1lsG+nUGsJBM5dCE6iObGVRf9Z/+FnVq7ueEJMYVsCQS9Z13zR3
VD5Qzfup0cN//ebdTFdRAhOEgUZYenQkZlo7Inde+Gi91W4QXUL1xckilLd91cs8
/+UHz/HL196kV4OTLOomGZ+lnR4evE/PTHxGn1E1zC14fVEU0lZKOz3AznF2SGTv
ilFes+OrcIt0UGXC/+JnfeOXuvVotKQ1o7DUQOUiB/1XaUP/mlN1nlWIold1hsRL
5Cl/WHvT55/DMt+Ou9Pss40iXzLLtCWdfQMxipHGtITUltfhcAOPRpDasfRjmyFi
veExhexYlQr9yByT2EnLQv26t7xeSNQvLJWQXVelz3fzEoobVrMYDYsjivOLfyZV
pFB2QZlz4Pr0bxYGVZX5fWgthAfmwkne9nRB1ATjN8WX3l2zhgU5wB8jkNRlw8GH
f7tYrwpBNLieB+bF+jrAxSxCmRgD9ill6rGNbXpSdV2hVyJ41yze7dWWVNb2zegz
UKwQlSmrVM4OZ4y1bNeAY+Qgj8snCf5FYa5cV7Vf2Hoiki7qnZX78YfuedWy/K3M
kdSJYAf4LgynIGBsdhNr
=1JLc
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50325ba8.9000...@users.sourceforge.net

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:35 PM, Mika Suomalainen wrote:
> On 20.08.2012 18:31, lina wrote:
>> So I am under regular attacks recently, very gentle attack, only
>> tried few times each day?
> 
> At least your auth.log says so and it shouldn't lie.
> 
>> How do I know who has this IP address? why s/he didn't change?
> 
> You probably don't. I don't understand this second question.

The second question is that for those days, the attacker should think of
renew its ip address. not from the same one.
> 
> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/503259e5.2070...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:33 PM, Mika Suomalainen wrote:
> On 20.08.2012 18:15, lina wrote:
>> BTW, what is the 172.21.48.161, seems in the old auth.log* also has
>> this one.
> 
>> # zmore auth.log.2.gz | grep 172.21.48.161 Aug  5 16:05:13 Debian
>> sshd[15369]: Did not receive identification string from
>> 172.21.48.161 Aug  5 16:05:36 Debian sshd[15370]: Invalid user
>> administrator from 172.21.48.161 Aug  5 16:05:36 Debian
>> sshd[15370]: pam_unix(sshd:auth): authentication failure; logname=
>> uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug  5 16:05:38
>> Debian sshd[15370]: Failed password for invalid user administrator
>> from 172.21.48.161 port 54999 ssh2
> <...>
> 
> For me it looks like a bot, which is trying to guess usernames and
> passwords to your system.
> If you had sshguard or something similar installed, you would also see
> message about that host being banned, because of failed authentications.

I have just installed the sshguard,

I checked the time of the attempt connection from this ip, it's quite
regular. more like some program doing those things.

Aug 13 16:07:31
Aug 13 16:07:52
Aug 13 16:07:52
Aug 13 16:07:54
Aug 13 16:08:07
Aug 14 16:08:16
Aug 14 16:08:42
Aug 14 16:08:42
Aug 14 16:08:45
Aug 14 16:08:46
Aug 16 16:08:29
Aug 16 16:08:53
Aug 16 16:08:53
Aug 16 16:08:55
Aug 16 16:08:56
Aug 5 16:05:13
Aug 5 16:05:36
Aug 5 16:05:36
Aug 5 16:05:38
Aug 5 16:05:40
Aug 6 04:04:45
Aug 6 04:05:09
Aug 6 04:05:09
Aug 6 04:05:10
Aug 6 04:05:11
Aug 6 16:06:08
Aug 6 16:06:29
Aug 6 16:06:29
Aug 6 16:06:31
Aug 6 16:06:32
Aug 7 04:04:44
Aug 7 04:05:07
Aug 7 04:05:07
Aug 7 04:05:09
Aug 7 04:05:23
Jul 29 16:07:53
Jul 29 16:08:14
Jul 29 16:08:14
Jul 29 16:08:15
Jul 29 16:08:22
Aug 2 16:07:50
Aug 2 16:08:11
Aug 2 16:08:11
Aug 2 16:08:13
Aug 2 16:08:18
Aug 4 16:05:38
Aug 4 16:05:58
Aug 4 16:05:59
Aug 4 16:06:01
Aug 4 16:06:02
Aug 5 04:04:42
Aug 5 04:05:05
Aug 5 04:05:05
Aug 5 04:05:07
Aug 5 04:05:08
Jul 27 16:10:23
Jul 27 16:10:43
Jul 27 16:10:43
Jul 27 16:10:45
Jul 27 16:10:48
Jul 28 16:08:09
Jul 28 16:08:29
Jul 28 16:08:30
Jul 28 16:08:31
Jul 28 16:08:32
Jul 29 04:06:20
Jul 29 04:06:43
Jul 29 04:06:43
Jul 29 04:06:46
Jul 29 04:06:47


Thanks again,

> 
>> Thanks again,
> 
> You're welcome :)
> 
> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50325992.1060...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 20.08.2012 18:31, lina wrote:
> So I am under regular attacks recently, very gentle attack, only
> tried few times each day?

At least your auth.log says so and it shouldn't lie.

> How do I know who has this IP address? why s/he didn't change?

You probably don't. I don't understand this second question.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMllIAAoJEE21PP6CpGcoOP8QALmkYhizhEORUT+0/BZt6IRX
V7iApVJF+X/4vqx4vgBjNBeRNMr6SQmee+6umrm/DQdOsZxMJpmbXXvAZGX+5x3f
gD3d9FyagvbGfZqHzT1OUxmcr7SkMcd1aBE0/aLmSATc7dvdXU9m4cj4PuXmLt7S
jO8GGnV1TIjaR+pLwLhJIrVm+FCjDirpwQgNQcFLrwKe/9I9/xTvF4Sfc4rPGeQP
I7KQFeoA/yS7qacgSFh4BqoOrTSUXfJ1RnKL4mKREn/GFqFLF4mxXPmXBNh2tRe+
DEprN90bCXFm++T2M+wvjhSYWlW/Te5skxVOSQ0FR8qu3Gcfg8yW09HwYG4JfjFE
eJKn2inh7kgrfYoP2ssHzNuOnhWv8H1bqSkDCKJ/WDhtvV2NIa7QuHsP2igibJfY
j3KlSCBszCJ3M+l/RAn85A1JXJNA5Hxh0aOW9ziwdJR9AbUdWOHjJHkvSDJr5qsj
T2RW+gpOVspORCU5VNrM6w4V1HFRjjzLri2KNkrSatlfUAQjXctLgr/FHId8vGM/
j1Q2SW8fZvJIW9STTcS/9YTI6S2YBLrKGEBNR7lA9MZA6qu4aG4gahHi+tDPWqD1
0+oXdxdVs9KxNDTAdkSkRaJjvJQAOjn/WP2B2e5FrtIKVsN86izxabwJ9nTfnOV6
dafdCZWa05wdW4ycrTAe
=gq/2
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5032594b.9050...@users.sourceforge.net

Re: [OT] Is it possible to hide the ip in ssh connection

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 20.08.2012 18:15, lina wrote:
> BTW, what is the 172.21.48.161, seems in the old auth.log* also has
> this one.
> 
> # zmore auth.log.2.gz | grep 172.21.48.161 Aug  5 16:05:13 Debian
> sshd[15369]: Did not receive identification string from
> 172.21.48.161 Aug  5 16:05:36 Debian sshd[15370]: Invalid user
> administrator from 172.21.48.161 Aug  5 16:05:36 Debian
> sshd[15370]: pam_unix(sshd:auth): authentication failure; logname=
> uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug  5 16:05:38
> Debian sshd[15370]: Failed password for invalid user administrator
> from 172.21.48.161 port 54999 ssh2
<...>

For me it looks like a bot, which is trying to guess usernames and
passwords to your system.
If you had sshguard or something similar installed, you would also see
message about that host being banned, because of failed authentications.

> Thanks again,

You're welcome :)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMljbAAoJEE21PP6CpGcokD8P+QEwW6fcdsR2fGqcmfhIlVt9
SdF9HCZ5pL1j5P5VrddRpEYq0aEQrxDyTe7dSiNepR+V+Xs5uh+v/MZjm1b4kuPi
QN65VWxMJWMuKKp98ZrJ/llIw0rkI+CVXIH4FJnON70J5IuHZJjO17SV3lO+TYyP
BwclQm7kGqDUuBzUv2ZllnH7sisdyhqVMm+uX7D0u3laJilbEZVlJTB+UF6FAPqJ
9iR5gam0nU1fPjDZpm7CzDpfgrrh1Akte1TRF6D2yikJeeXWq/nCeL7A/w8fGe8W
m8vj4bdomJYP7ogx4BqPGo9wGfoMFNTAqpAQQMgS33IAmQNUM+PI1CgXZXpF19jN
EdeTBxjAcxZnynI1yLR5kCJBIxR9fkkbTME5I16QVlnVqb9IkjsMbny7XdrHZ9bj
cR6pYE0LPF8XCID5zWWjJPj5rYmJSyQYPZ1lEcqjZmJ9wWRf0xTRuirhKFBS8KiN
UaeOz1XcyJ++rJmv+l94xv1h+ZcDdHCoKMLzYvxLTn9eOJD8d9Cz/4o+5ZemaLCO
L/c5JWLySWDPmMz8pH3o4TDSukmu1FTSgdgv1KS/m8Yfk8U7tmVWprs3QOftIUUA
5gXgRDiHlXLs1TtqI4JzDD4SM+W1xIq/3qjH+t6QEvH6lIGiVPzzjLAd7uiySP+f
TYuL0ElasnGztTx/nR+s
=FwK3
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/503258dd.6000...@users.sourceforge.net

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 11:21 PM, Darac Marjal wrote:
> On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote:
>> On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
>>> On 20.08.2012 17:02, lina wrote:
 On Monday 20,August,2012 09:59 PM, lina wrote:
>> Hi,
>>
>> I ssh to a server which has 400+ users, active ones around
>> 100.
>>
>> Frankly speaking, I would feel comfortable to hide my IP if
>> possible,
>>
>> any suggestions (I checked the spoof, but seems not positive),
>>
>> Thanks with best regards,
>>
>>
 Another question, how do I know whether there are some people are 
 attempting to invade my laptop, my username, ip are all exposed
 there.
>>>
>>> If you have SSHd and that is what you are worried about, grep ssh from
>>> /var/log/auth.log .
>>
>> BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
>> one.
> 
> You need to ask, not "what is", but "who is". More specifically:
> 
> $ whois 172.21.48.161
> [...]
> NetRange:   172.16.0.0 - 172.31.255.255
> CIDR:   172.16.0.0/12
> OriginAS:
> NetName:PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
> NetHandle:  NET-172-16-0-0-1
> Parent: NET-172-0-0-0-0
> NetType:IANA Special Use
> [...]
> 
> In other words, it's someone else on your network.

So I am under regular attacks recently, very gentle attack, only tried
few times each day?

How do I know who has this IP address? why s/he didn't change?

unbelievable, hope I am wrong here.

Best regards,
> 
> [cut]
>>
>> Thanks again,
>>
>> Best regards,
>>
>>
>>> I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
>>>
>>> And you might also want to install something like SSHGuard (package
>>> sshguard) to protect your SSHd and other services, which it protects
>>> from attackers. http://www.sshguard.net/
>>>
>>>
>>
>>
>> -- 
>> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
>> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>> Archive: http://lists.debian.org/503254ab.8030...@gmail.com
>>


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5032583e.70...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread Darac Marjal

On Mon, Aug 20, 2012 at 11:15:55PM +0800, lina wrote:
> On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
> > On 20.08.2012 17:02, lina wrote:
> >> On Monday 20,August,2012 09:59 PM, lina wrote:
>  Hi,
> 
>  I ssh to a server which has 400+ users, active ones around
>  100.
> 
>  Frankly speaking, I would feel comfortable to hide my IP if
>  possible,
> 
>  any suggestions (I checked the spoof, but seems not positive),
> 
>  Thanks with best regards,
> 
> 
> >> Another question, how do I know whether there are some people are 
> >> attempting to invade my laptop, my username, ip are all exposed
> >> there.
> > 
> > If you have SSHd and that is what you are worried about, grep ssh from
> > /var/log/auth.log .
> 
> BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
> one.

You need to ask, not "what is", but "who is". More specifically:

$ whois 172.21.48.161
[...]
NetRange:   172.16.0.0 - 172.31.255.255
CIDR:   172.16.0.0/12
OriginAS:
NetName:PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
NetHandle:  NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType:IANA Special Use
[...]

In other words, it's someone else on your network.

[cut]
> 
> Thanks again,
> 
> Best regards,
> 
> 
> > I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
> > 
> > And you might also want to install something like SSHGuard (package
> > sshguard) to protect your SSHd and other services, which it protects
> > from attackers. http://www.sshguard.net/
> > 
> > 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/503254ab.8030...@gmail.com
> 


signature.asc
Description: Digital signature

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
> On 20.08.2012 17:02, lina wrote:
>> On Monday 20,August,2012 09:59 PM, lina wrote:
 Hi,

 I ssh to a server which has 400+ users, active ones around
 100.

 Frankly speaking, I would feel comfortable to hide my IP if
 possible,

 any suggestions (I checked the spoof, but seems not positive),

 Thanks with best regards,


>> Another question, how do I know whether there are some people are 
>> attempting to invade my laptop, my username, ip are all exposed
>> there.
> 
> If you have SSHd and that is what you are worried about, grep ssh from
> /var/log/auth.log .

BTW, what is the 172.21.48.161, seems in the old auth.log* also has this
one.

# zmore auth.log.2.gz | grep 172.21.48.161
Aug  5 16:05:13 Debian sshd[15369]: Did not receive identification
string from 172.21.48.161
Aug  5 16:05:36 Debian sshd[15370]: Invalid user administrator from
172.21.48.161
Aug  5 16:05:36 Debian sshd[15370]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161
Aug  5 16:05:38 Debian sshd[15370]: Failed password for invalid user
administrator from 172.21.48.161 port 54999 ssh2
Aug  5 16:05:40 Debian sshd[15370]: Connection closed by 172.21.48.161
[preauth]
Aug  6 04:04:45 Debian sshd[19015]: Did not receive identification
string from 172.21.48.161
Aug  6 04:05:09 Debian sshd[19016]: Invalid user administrator from
172.21.48.161
Aug  6 04:05:09 Debian sshd[19016]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161
Aug  6 04:05:10 Debian sshd[19016]: Failed password for invalid user
administrator from 172.21.48.161 port 59847 ssh2
Aug  6 04:05:11 Debian sshd[19016]: Connection closed by 172.21.48.161
[preauth]
Aug  6 16:06:08 Debian sshd[23030]: Did not receive identification
string from 172.21.48.161
Aug  6 16:06:29 Debian sshd[23032]: Invalid user administrator from
172.21.48.161
Aug  6 16:06:29 Debian sshd[23032]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161
Aug  6 16:06:31 Debian sshd[23032]: Failed password for invalid user
administrator from 172.21.48.161 port 49880 ssh2
Aug  6 16:06:32 Debian sshd[23032]: Connection closed by 172.21.48.161
[preauth]
Aug  7 04:04:44 Debian sshd[916]: Did not receive identification string
from 172.21.48.161
Aug  7 04:05:07 Debian sshd[917]: Invalid user administrator from
172.21.48.161
Aug  7 04:05:07 Debian sshd[917]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161
Aug  7 04:05:09 Debian sshd[917]: Failed password for invalid user
administrator from 172.21.48.161 port 55548 ssh2
Aug  7 04:05:23 Debian sshd[917]: Connection closed by 172.21.48.161
[preauth]

Thanks again,

Best regards,


> I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
> 
> And you might also want to install something like SSHGuard (package
> sshguard) to protect your SSHd and other services, which it protects
> from attackers. http://www.sshguard.net/
> 
> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/503254ab.8030...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

It looks like it is possible to use Tor as a proxy:

http://www.howtoforge.com/anonymous-ssh-sessions-with-tor

If this document is correct, it is very easy to set up.  That would
obfuscate the ip number you are connecting from by adding a jump in the
middle.  The target server would only see that last step.

Regards,
/Lars


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/503254a9.6080...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 10:44 PM, Mika Suomalainen wrote:
> On 20.08.2012 17:02, lina wrote:
>> On Monday 20,August,2012 09:59 PM, lina wrote:
 Hi,

 I ssh to a server which has 400+ users, active ones around
 100.

 Frankly speaking, I would feel comfortable to hide my IP if
 possible,

 any suggestions (I checked the spoof, but seems not positive),

 Thanks with best regards,


>> Another question, how do I know whether there are some people are 
>> attempting to invade my laptop, my username, ip are all exposed
>> there.
> 
> If you have SSHd and that is what you are worried about, grep ssh from
> /var/log/auth.log .

This is the first time I know the auth.log

Aug 20 16:06:14 Debian sshd[10509]: Did not receive identification
string from 172.21.48.161
Aug 20 16:06:42 Debian sshd[10510]: Invalid user administrator from
172.21.48.161

Aug 20 16:06:43 Debian sshd[10510]: Failed password for invalid user
administrator from 172.21.48.161 port
56139 ssh2
Aug 20 16:06:44 Debian sshd[10510]: Connection closed by 172.21.48.161
[preauth]

172.21.48.161 is not the ip of any servers I connected to.
and for ssh I use public keys to connect to sever, don't use password.
For the whole day I didn't shut down the laptop, 172.21.50.108 is the
ip, and furthermore I checked
# more syslog | grep 172.21.48.161
# more syslog.1 | grep 172.21.48.161
my laptop has never been bound to this IP before.

I don't know shall I be a bit appalled or not.

> I'm not sure does that require loglevel being "VERBOSE" in sshd_config.
> 
> And you might also want to install something like SSHGuard (package
> sshguard) to protect your SSHd and other services, which it protects
> from attackers. http://www.sshguard.net/
Thanks very much.

Best regards,
> 
> 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5032531f.2000...@gmail.com

Re: [OT] Is it possible to hide the ip in ssh connection

On Mon, 2012-08-20 at 16:22 +0200, Gaël DONVAL wrote:
> Le lundi 20 août 2012 à 22:02 +0800, lina a écrit :
> > On Monday 20,August,2012 09:59 PM, lina wrote:
> > > Hi,
> > > 
> > > I ssh to a server which has 400+ users, active ones around 100.
> > > 
> > > Frankly speaking, I would feel comfortable to hide my IP if possible,
> > > 
> > > any suggestions (I checked the spoof, but seems not positive),
> > Another question, how do I know whether there are some people are
> > attempting to invade my laptop, my username, ip are all exposed there.
> 
> An IP address is like your (real) home address. [snip]

No it's not, it's still secret enough for averaged usage. Only a curt is
able to allow that your IP becomes as open as your "(real) home address"
and that just to a small group of known people. Everybody has a right of
private sphere and IP addresses keep private sphere. If you plan to bomb
the Deutsche Parlament, than don't worry about security issues regarding
to the IP address. If so, you need completely different security, but
hiding your IP. If you, Lina, worry stalking from an ex-boyfriend, than
the IP address is something that he doesn't need, since he knows too
much about you, that is much more informing, how and where you live
today. Conspiration, stalking etc. does happen, but usually nobody needs
an IP. Idiots as lawyers need an IP, to sue fans of mainstream
pop-rock-bands. The Federal (German) Intelligence Service prefers
profilers.

Read the magazine "conspiracy theorist today" :p.

Regards,
Ralf

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345474061.1285.47.camel@localhost.localdomain

Re: [OT] Is it possible to hide the ip in ssh connection

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 20.08.2012 17:02, lina wrote:
> On Monday 20,August,2012 09:59 PM, lina wrote:
>>> Hi,
>>> 
>>> I ssh to a server which has 400+ users, active ones around
>>> 100.
>>> 
>>> Frankly speaking, I would feel comfortable to hide my IP if
>>> possible,
>>> 
>>> any suggestions (I checked the spoof, but seems not positive),
>>> 
>>> Thanks with best regards,
>>> 
>>> 
> Another question, how do I know whether there are some people are 
> attempting to invade my laptop, my username, ip are all exposed
> there.

If you have SSHd and that is what you are worried about, grep ssh from
/var/log/auth.log .
I'm not sure does that require loglevel being "VERBOSE" in sshd_config.

And you might also want to install something like SSHGuard (package
sshguard) to protect your SSHd and other services, which it protects
from attackers. http://www.sshguard.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMk1TAAoJEE21PP6CpGco1eAP/jYli35Dg3KGtL1S8T68yNqM
oqIs02FFR6iQZongOzOpo3l4q53O5rXbKz9g43rCWKRQyIlrByObHPAOHlwv6Jcv
lmXT0KUHR88ODBRVFq5Zu7pTDOoSEseif7tAF+HBWLwl5FwvplU9/WRLKE1UnRni
1vGbWyqAKTzekmbywQyqxfuqE4alDIRDvPQBawHJwsWmUPLJQiBKPUy/MZ9VhVWM
wvpdGTzoEtU2DUH+f+reuC0UakU45mwAYtb+WV4m82vM5AxS+PUzMvOOwKJUSqe+
+6vuoeJymLUQfb9/wbdyMPcaQ17tauI3w7ltWEKSpO1X89pahC78EeAhHO+YPC46
bNJFHEEzbcD7T24QPz5vkdGQY5QOZ+vcoo0ViaXX1FrqdWPAVbIN5vkSXdBMM/DD
VptVPVPdBAd1XqHOexaED6qt1iSoL62RuZ9oODfJ8wAJ54D14MZVM0fgXTDH44N6
k774M5/Y3krEmlT5ddscyKMznBnX6JkQobE8DHxBS3UnsqTZU+iKyScNyuGlPDjV
5XeEL2iSINoH7WIKqOu9fZSqTEmGLk9KRp4RrBm/eHVv/0T2GAYLtja+wZ28ZzCB
aWxuq+z2QDegKHKAgvWTGwV3kRLLuWWXtmR2EmXYXVoUzS050q9Faha5khfEPAAl
CJZSYl37IcGrZyNugz/i
=O+FX
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50324d55.10...@users.sourceforge.net

Re: [OT] Is it possible to hide the ip in ssh connection

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 20.08.2012 16:59, lina wrote:
> 
> I ssh to a server which has 400+ users, active ones around 100.
> 
> Frankly speaking, I would feel comfortable to hide my IP if
> possible,
> 
> any suggestions (I checked the spoof, but seems not positive),

Try proxychains and tor. [Homepage] of proxychains says
"* Run SSH, telnet, wget, ftp, apt, vnc, nmap through proxy servers."

[Homepage]:http://proxychains.sourceforge.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQMkx3AAoJEE21PP6CpGcoBrgP/0KfXYeypxP6XTDYyQskkPv3
Ig7kNwCaTR54hb0OfShFgvQ6/rsoEmb4BkNmP7leuX3wK5pGnMWKOVxUOuOPWOP9
3wjx/B/AkUsYyPYb1QccZ9S20CsOS8C6zXzIkdAKbk3dCRWOj0wa+tcl3h5yGTzR
PsLo9WZ2Hb1OLwoI2qNzlvxRfduVtnXrX4QC1fN3lMnxC7Y5Lx+JBhE9saST7C/f
4NG8/CQYNoJ0nbRwmh4fgcAE5+8uB5HA7R2PvRrvjrT7rWBCpTf0c2ZS5bpYDxA6
rnBdIcwMLaXA+beSC6NTYU0Hr4TkR8HY6DKASExEVQSluOvWP6z3mf5ggw51+HYS
sby7hOjOuLvbDKDLQJ/FbAUQ/EixwH+G4Wvpph3fvo6kH5s/MjbXxJfZw7hLUgGV
F7N7RUu8QNV5jJo1ZP5YY6bGd8NQenJF8Go4q9yVVyKgzFfdtAswcGtu7VNYZ00v
4kyogGQv7b6p3huXqrjVS9Mc9GUQ256G5mttzaUyR4aE4/nSC5hbu0fhu+I83Pyb
mBtn+H+9O+O6XWB/OgVhWLCZb3PY+NAM8TvxKpoOJGHPigHQ7iDVrqAzapV82Xl/
cBGwHSyHvGGe2PTbtgyeZEgsnSI/fBlsRxg9Z49CewN5tFWM2sUwOGbU3diLA+rx
WsIYeUhRUl2kU6Zy3vIK
=ZRIM
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50324c79.40...@users.sourceforge.net

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread Camaleón

On Mon, 20 Aug 2012 21:59:47 +0800, lina wrote:

> I ssh to a server which has 400+ users, active ones around 100.
> 
> Frankly speaking, I would feel comfortable to hide my IP if possible,
> 
> any suggestions (I checked the spoof, but seems not positive),

You mean to hide your ssh remote connecting IP address? If you have 
several outgoing network devices you can choose between them to stablish 
a connection by means of "-b" argument.

Also, Google seems to return a bunch of results:

http://en.lmgtfy.com/?q=ssh+fake+ip+address

Anyway, I wonder what's what you fear of. You can hide your originating 
IP but your username and your activities can be still tracked at least by 
the admins >:-)

Greetings,

-- 
Camaleón

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/k0thrp$mg3$9...@ger.gmane.org

Re: [OT] Is it possible to hide the ip in ssh connection

2012-08-20 Thread Gaël DONVAL

Le lundi 20 août 2012 à 22:02 +0800, lina a écrit :
> On Monday 20,August,2012 09:59 PM, lina wrote:
> > Hi,
> > 
> > I ssh to a server which has 400+ users, active ones around 100.
> > 
> > Frankly speaking, I would feel comfortable to hide my IP if possible,
> > 
> > any suggestions (I checked the spoof, but seems not positive),
> Another question, how do I know whether there are some people are
> attempting to invade my laptop, my username, ip are all exposed there.

An IP address is like your (real) home address. 
You are free to send a letter without your true home address on it. You
can spoof it. But then, don't expect a reply: if one is sent, the
recipient would be the one whom address has been spoofed by you.

ssh is like a mail correspondence between you and the remote server: if
you spoof your IP address, you wont be able to use it because you wont
get any reply.

As well, I guess knowing a home address has never helped any robber to
break into a house.

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1345472549.4593.19.ca...@p76-nom-gd.cnrs-imn.fr

Re: [OT] Is it possible to hide the ip in ssh connection

On Monday 20,August,2012 09:59 PM, lina wrote:
> Hi,
> 
> I ssh to a server which has 400+ users, active ones around 100.
> 
> Frankly speaking, I would feel comfortable to hide my IP if possible,
> 
> any suggestions (I checked the spoof, but seems not positive),
> 
> Thanks with best regards,
> 
> 
Another question, how do I know whether there are some people are
attempting to invade my laptop, my username, ip are all exposed there.


I do know very little,

Thanks again,


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5032437f.3090...@gmail.com

[OT] Is it possible to hide the ip in ssh connection

Hi,

I ssh to a server which has 400+ users, active ones around 100.

Frankly speaking, I would feel comfortable to hide my IP if possible,

any suggestions (I checked the spoof, but seems not positive),

Thanks with best regards,



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/503242d3.3030...@gmail.com

Re: ssh connection problem, DNS and ~/.ssh/config (long)

2011-02-26 Thread T o n g

  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
  debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
  debug1: identity file /home/tong/.ssh/id_dsa type 2
  debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
  debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 
Debian-6
  debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 z...@openssh.com
  debug1: kex: client->server aes128-ctr hmac-md5 z...@openssh.com
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: checking without port identifier
  The authenticity of host '[192.168.2.100]:21 ([192.168.2.100]:21)' can't be 
established.
  RSA key fingerprint is ff:7e:df:4a:a3:b8:33:e4:14:9c:27:62:f2:0e:cb:62.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '[192.168.2.100]:21' (RSA) to the list of known 
hosts.
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: /home/tong/.ssh/id_rsa
  debug1: Server accepts key: pkalg ssh-rsa blen 149
  debug1: Enabling compression at level 6.
  debug1: Authentication succeeded (publickey).
  debug1: channel 0: new [client-session]
  debug1: Requesting no-more-sessi...@openssh.com
  debug1: Entering interactive session.
  debug1: Requesting X11 forwarding with authentication spoofing.
  debug1: Requesting authentication agent forwarding.
  debug1: Sending environment.
  debug1: Sending env LANG = C
  Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 
UTC 2010 x86_64

Mow, 

  $ tail -4 ~/.ssh/config
  Host mhmi
HostName 192.168.2.100
User tong
IdentityFile /home/tong/.ssh/id_rsa

  tong@coral:~$ ssh -C -A -X -p 21 mhmi -v
  OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
  debug1: Reading configuration data /home/tong/.ssh/config
  debug1: Applying options for mh*
  debug1: Applying options for mhmi
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
  debug1: Connection established.
  debug1: identity file /path/to/other/key type -1
  debug1: identity file /path/to/other/key-cert type -1
  debug1: identity file /home/tong/.ssh/id_rsa type 1
  debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
  debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 
Debian-6
  debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 z...@openssh.com
  debug1: kex: client->server aes128-ctr hmac-md5 z...@openssh.com
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Host '[192.168.2.100]:21' is known and matches the RSA host key.
  debug1: Found key in /home/tong/.ssh/known_hosts:52
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: /home/tong/.ssh/id_rsa
  debug1: Authentications that can continue: publickey
  debug1: Trying private key: /path/to/other/key
  debug1: No more authentication methods to try.
  Permission denied (publickey).

I.e., with everything seems to be the same to me, using
~/.ssh/config file NOK.

Any ideas? Is there any way to trouble shoot the default sshd daemon? (I can 
still
ssh to remote host as root using a secondary session)

As mentioned before. I've still got one ssh conne

Re: ssh connection, secondary ok while prime not

2011-02-24 Thread elbbit

On 25/02/11 04:17, T o n g wrote:
>  /etc/init.d/ssh restart

This method normally includes /etc/ssh/sshd_config when it starts the
sshd binary.  The directive you are looking for in the file is probably
"PermitRootLogin yes".  Adding or changing this entry in the sshd_config
file will enable you to log in remotely as the root user.

> [1] sudo ssh -C -A -X maroon

FYI, this can also been accomplished as "ssh -l root -CAX maroon" or
even as "ssh -CAX root@maroon".

> after a "/usr/sbin/sshd -d -D -p 222" on the server

Starting the SSH daemon this way will mostly likely exclude the reading
of the /etc/ssh/sshd_config file, and, as a result, not include the
"PermitRootLogin no" directive that you may have.

Hope this helps,

elbbit

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4d675ddb.3040...@gmail.com

ssh connection, secondary ok while prime not

2011-02-24 Thread T o n g


Hi,

I have a very weird ssh connection problem -- I get 

  Permission denied (publickey).

error while trying to ssh into the box (as root) [1]. However, if I ssh 
into the same box, same as root, using the same sshd configuration, just 
a secondary debug ssh session, it works flawlessly [2]. I've done 

 /etc/init.d/ssh restart

several times on the server, but the problem persists. What could be 
wrong? 

[1] sudo ssh -C -A -X maroon

[2] start "sudo ssh -v -C -A -X -p 222" on the client
after a "/usr/sbin/sshd -d -D -p 222" on the server

(It was OK before. I can't remember that I changed anything. I've still 
got one ssh connection open to the server as root for configuration & 
testing)

Thanks

-- 
Tong (remove underscore(s) to reply)
  http://xpt.sourceforge.net/techdocs/
  http://xpt.sourceforge.net/tools/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/ik7agb$j7s$1...@dough.gmane.org

Re: ssh connection takes long time

2009-03-13 Thread Richard A Nelson


On Fri, 13 Mar 2009, randall wrote:


And there are indeed other servers that are unhappy with poor DNS
ftp comes to mind, its always the first thing i turn off when i install it 
for anything other then personal usage.


:)  I don't have that luxury (at work, but do use ftpd-ssl)

The only use to correct "reverse" DNS i can see is in case of a mail server, 
if you want to filter dynamic and static IP's (but even this is theoretical 
since it is hardly used in practice)
other then that i regard it as a feature that brings more problems then it 
solves.


smtp, kerberos, tcpwrappers ...  off the top of my head, surely thar be
more dragons.

--
Rick Nelson
* aj thinks Kb^Zzz ought to pick different things to dream about than
   general resolutions and policy changes.
 aj - tell me about it, this is a Bad Sign


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ssh connection takes long time

2009-03-13 Thread Chris Davies

randall  wrote:
> The only use to correct "reverse" DNS i can see is in case of a mail 
> server, if you want to filter dynamic and static IP's (but even this is 
> theoretical since it is hardly used in practice)

I don't use rDNS for differentiating static and dynamic IPs (well,
not directly); I use one of the RBLs for that. On the other hand, it's
likely you'll not be able to deliver mail to me directly unless you do
(or your mail server does) have an rDNS entry.

> other then that i regard it as a feature that brings more problems then 
> it solves.

You and I will have to differ on this one. I've stated my reasons for
wanting rDNS. You've explained why you don't find it useful. At least
we can both choose what we find best.

Chris

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ssh connection takes long time


Richard A Nelson wrote:

On Fri, 13 Mar 2009, randall wrote:


IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.


Indeed, always best to have fully functional DNS, and no - for Linux
at least, /etc/hosts is not functional DNS.
depends on the usage, it functions very well on my LAN where all the 
users can type "fax" in the firefox address bar to reach the fax server.


agreed in principle, but since ssh is the only one (in my experience) 
that i ever encountered this inconvenience with, i wonder if the 
correct thing to do holds up in everyday usage.



From `man sshd_config`:


 UseDNS  Specifies whether sshd(8) should look up the remote host 
name and
 check that the resolved host name for the remote IP 
address maps

 back to the very same IP address.  The default is “yes”.

And there are indeed other servers that are unhappy with poor DNS
ftp comes to mind, its always the first thing i turn off when i install 
it for anything other then personal usage.



The only use to correct "reverse" DNS i can see is in case of a mail 
server, if you want to filter dynamic and static IP's (but even this is 
theoretical since it is hardly used in practice)
other then that i regard it as a feature that brings more problems then 
it solves.



--

www.songshu.org
Just another collection of nuts


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ssh connection takes long time

2009-03-13 Thread Richard A Nelson


On Fri, 13 Mar 2009, randall wrote:


IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.


Indeed, always best to have fully functional DNS, and no - for Linux
at least, /etc/hosts is not functional DNS.

agreed in principle, but since ssh is the only one (in my experience) that i 
ever encountered this inconvenience with, i wonder if the correct thing to do 
holds up in everyday usage.



From `man sshd_config`:


 UseDNS  Specifies whether sshd(8) should look up the remote host name and
 check that the resolved host name for the remote IP address maps
 back to the very same IP address.  The default is “yes”.

And there are indeed other servers that are unhappy with poor DNS
--
Rick Nelson
 is there a special christmas pack for quake
 where you get to be like the santa robot on futurama?
 dhd: that would be a rather unbalanced game...
 dunham: that's the idea.  ;>

Re: ssh connection takes long time

Chris Davies wrote:

Boyd Stephen Smith Jr. wrote:

All systems should have an rDNS record to map the number back to a
name. Ideally, that canonical name should also have a mapping back to
the number.

In the case of dynamic IP ranges, the rDNS record might map back to an
entry that mimicks the IP address itself, but tagged on to the end of
that is the organisation responsible for that IP address. For example,
10.11.12.13 might map to 13-12-11-10.dynamic.someisp.net, and it's
easy to see that "someisp.net" is in some way responsible for that IP
address. (I know you can determine IP address ranges via ARIN/RIPE/APNIC,
etc. but that is /much/ more heavyweight.)

If you don't have any rDNS entry at all, OpenSSH (amongst other subsystems
and applications) will hang until the resolver times out.

IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.

agreed in principle, but since ssh is the only one (in my experience)
that i ever encountered this inconvenience with, i wonder if the correct
thing to do holds up in everyday usage.

besides how would you do this with a dynamic IP, we are talking clients
here and you never know what ISP you might use when traveling around.

Your client is irrelevant in this scenario. The ISP should provide rDNS
entries that map its own address space.

agree again, providing that the "ISP should" and does, it once took me 2
weeks to teach my provider of my 10 Mbit fiber connection how it should
be configured after digging in to the manuals myself, assuming you would
be a road warrior running in such an ISP the experience can turn in to a
female K9.

once i was unable to connect at all due to the time out, admittedly this
was an extreme scenario in inland China trying to connect to Europe, if
it was the fault of the local ISP or simply my lack of knowledge of the
local dialect I'm still not sure ;)

also i see very little function to this, besides some extra unneeded
info in the log i don't see any added security in this feature.

Added secuity? Probably not a lot in this case. Convenience when trying
to work out who's thumping your box again? Possibly.

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=212.123.252.242&do_search=Search
this shows the owner/responsible of my IP and it took me about 10
seconds to find.

The theoretical principle does sound feasible to me, but its the
practical implementation and the problems/inconvenience that can occur
now and then that makes me wonder if a reconsideration would be useful.
my mail server myself does remote dns look up, but i wonder if its the
only mail server that actually does.

my opinion in this case is of course biased by my specific usage and
experience, therefore the question if there are scenario's where it
does make a lot more sense.

Chris

Randall

www.songshu.org
Just another collection of nuts

--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ssh connection takes long time

2009-03-13 Thread Chris Davies

Boyd Stephen Smith Jr. wrote:
> In general, you should make sure reverse DNS works for all your IPs.

randall  wrote:
> i doubt that this is a sensible default, if i'm wrong please let me
> know ;)

All systems should have an rDNS record to map the number back to a
name. Ideally, that canonical name should also have a mapping back to
the number.

In the case of dynamic IP ranges, the rDNS record might map back to an
entry that mimicks the IP address itself, but tagged on to the end of
that is the organisation responsible for that IP address. For example,
10.11.12.13 might map to 13-12-11-10.dynamic.someisp.net, and it's
easy to see that "someisp.net" is in some way responsible for that IP
address. (I know you can determine IP address ranges via ARIN/RIPE/APNIC,
etc. but that is /much/ more heavyweight.)

If you don't have any rDNS entry at all, OpenSSH (amongst other subsystems
and applications) will hang until the resolver times out.

IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.

> besides how would you do this with a dynamic IP, we are talking clients 
> here and you never know what ISP you might use when traveling around.

Your client is irrelevant in this scenario. The ISP should provide rDNS
entries that map its own address space.

> also i see very little function to this, besides some extra unneeded 
> info in the log i don't see any added security in this feature.

Added secuity? Probably not a lot in this case. Convenience when trying
to work out who's thumping your box again? Possibly.

Chris

-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ssh connection takes long time

2009-03-13 Thread Boyd Stephen Smith Jr.

On Friday 13 March 2009 10:42:16 randall wrote:
> Boyd Stephen Smith Jr. wrote:
> > On Friday 13 March 2009 08:41:52 Abdelkader Belahcene wrote:
> >
> >
> > If you are using the OpenSSH daemon on the remote server and that
> > daemon is using the default configuration, it does a reverse DNS
> > lookup on the connecting IP before accepting the login.
> i doubt that this is a sensible default, if i'm wrong please let me 
know
> ;)

I'm not involved in the development or packaging of OpenSSH for 
Debian, so I don't know why this decision was made.  It must have 
some clear advantage, otherwise it wouldn't be worth the DNS lookup.  
If you are really interested, I suggest you mail the package 
maintainer(s) and/or upstream developer(s).

It's been the default for years though, so maybe the original reason 
is forgotten.  If that's true, raising the issue with the 
maintainer(s) and developer(s) could cause the default to be re-
evaluated or, at least, the reasoning to be re-discovered.
-- 
Boyd Stephen Smith Jr.   ,= ,-_-. =.
b...@iguanasuicide.net  ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/\_/

signature.asc
Description: This is a digitally signed message part.

Re: ssh connection takes long time


Boyd Stephen Smith Jr. wrote:

On Friday 13 March 2009 08:41:52 Abdelkader Belahcene wrote:
  

If you are using the OpenSSH daemon on the remote server and that 
daemon is using the default configuration, it does a reverse DNS 
lookup on the connecting IP before accepting the login.


IIRC, It is possible to disable this reverse DNS lookup in the 
OpenSSH daemon configuration.  It is not possible to disable this 
lookup by adjusting the client configuration or version.


In general, you should make sure reverse DNS works for all your IPs.
  

i doubt that this is a sensible default, if i'm wrong please let me know ;)

as far as i know the only other time a reverse DNS is needed would be if 
you are running a mail server, and even then i notice that the number of 
mail servers actually checking for PTR records is very very small.


besides how would you do this with a dynamic IP, we are talking clients 
here and you never know what ISP you might use when traveling around.
also i see very little function to this, besides some extra unneeded 
info in the log i don't see any added security in this feature.


but then again, i might be wrong.


--

www.songshu.org
Just another collection of nuts


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ssh connection takes long time

2009-03-13 Thread Boyd Stephen Smith Jr.

On Friday 13 March 2009 08:41:52 Abdelkader Belahcene wrote:
> Thanks for answer,
> but  firstly , I am use on my machine a client ssh, the sshd is 
running
> on remote server,
>  secondly, i connect to server with IP address and not with a 
name,
> so no dns needed.

If you are using the OpenSSH daemon on the remote server and that 
daemon is using the default configuration, it does a reverse DNS 
lookup on the connecting IP before accepting the login.

IIRC, It is possible to disable this reverse DNS lookup in the 
OpenSSH daemon configuration.  It is not possible to disable this 
lookup by adjusting the client configuration or version.

In general, you should make sure reverse DNS works for all your IPs.
-- 
Boyd Stephen Smith Jr.   ,= ,-_-. =.
b...@iguanasuicide.net  ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/\_/

signature.asc
Description: This is a digitally signed message part.

Re: ssh connection takes long time