Wireshark-users: Re: [Wireshark-users] TCP Retransmission question

From: Anthony Murabito <anthony.murabito@xxxxxxxxx>
Date: Tue, 21 Jun 2011 09:46:56 -0700
Hi Thomas,

Your box is definitely getting hammered on its SSH port, but this isn't necessarily unusual. Since this server touches the outside world you may want to change your default ssh port to something other than 22. It likely will not get rid of all connection attempts, but it can decrease the number of connection attempts significantly. If you want to check the auth log for successful ssh logins, simply login successfully yourself & check the log out. You can also restrict the users able to login (nowadays with sudo nobody allows root to login directly), or whitelist the IPs that can login (but that might be a bit too strict depending on your situation).

You may also want to look at limiting failed connection attempts with something like iptables:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

Cheers,

Anthony

The log in wireshark is recorded today. And with the key word
searching in auth.log and auth.log.1 only shows the attempting to
login failure.

Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification
string from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user
webmaster from 68.168.113.155 port 33025 ssh2
Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155
Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user
admin from 68.168.113.155 port 33304 ssh2
Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155  user=root
Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from
68.168.113.155 port 33514 ssh2

The TCP transmission message is observed when launching wireshark on
host machine recording server02 with capture filter string `host
xxx.xxx.xxx.112'.

Is this the right way to monitor the completely interaction between
ssh client and server? Or what is the right way to monitor the ssh
interaction (client executes `ssh user@host_name` until it
successfully login or returns timeout)?

And which key word I can use for checking successful/unsuccessful
attempts on ssh? I scroll through wireshark log, but could not figure
it out well.

My host is Debian wheezy/sid.
All guest machines  are Debian squeeze/sid with kernel 2.6.32-5-686.
Version of OpenSSH_5.5p1 Debian-5+b1, and OpenSSL 0.9.8o 01 Jun 2010.

Thank you for advice. I appreciate it.

On Tue, Jun 21, 2011 at 5:17 PM, Shain Singh <shain.singh@xxxxxxxxx> wrote:
xxx.xxx.xxx.112 68.168.113.155  SSH     [TCP Retransmission] Encrypted
response packet len=35
68.168.113.155  xxx.xxx.xxx.112 TCP     [TCP Previous segment lost] 33514

          
ssh [ACK] Seq=21 Ack=36 Win=5888 Len=0 TSV=3950744190 TSER=4316095
SLE=1 SRE=36
68.168.113.155  xxx.xxx.xxx.112 SSHv2   [TCP Retransmission] Client
Protocol: SSH-2.0-libssh-0.1\r

Haver you got SSH configured on the host computer to port forward to the
servers (Are the virtual hosts in bridged or NAT mode?) - Looks to be
bridged.
I would have thought that this could just be someone 'trying' to brute force
SSH. It doesn't necessarily mean they have been able to successfully connect
from the logs above unless I am missing something.
Have a scroll through you logs for successful/unsuccessful attempts on SSH.

--
Shaineel Singh
e: shain.singh@xxxxxxxxx
p: +61 422 921 951
w: http://buffet.shainsingh.com

--
"Too many have dispensed with generosity to practice charity" - Albert Camus

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe