Anon E. Muss wrote:
> I recently noticed excessive acitivity on my router's activity LED and
> did a little investigating. As immediate action, I used a big hammer
> and firewalled off 218/8 until I can figure out what is going on here.
> Yesterday, it was 201/8.
>
> Below is most of output of netstat. Can someone let me know what is
> going on here? SynFlood?? Also, any suggestions??
>
> ===== BEGIN =====
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 x-xx-x-xx-xx.xxxxxxxx:37775 218.25.160.246:ssh
> TIME_WAIT
> tcp 0 0 x-xx-x-xx-xx.lsa:safetynetp 218.25.17.78:ssh
> TIME_WAIT

<snip>

There is no need to quote the whole log - a couple of lines is enough!

Someone is running a distributed attack on your system, looking for a
way in through ssh. ssh has been a particular favourite since the
recent flaws in ssh key generation on a lot of Debian systems, although
it's always been fairly popular.

It's uncommon to get a distributed attack, however. Such attacks
require a botnet. While there are vast numbers of zombie PC's in such
networks, there are not that many botnets and botnet controllers. Is
there some reason why you might be a particular target? Random IP
addresses are often the victims of individuals (you see lots of
connections from the same IP address - they are running a dictionary of
possible passwords). Perhaps this is a botnet attacking a range of
random IP addresses but only trying a few connections on each.

There are various ways to ensure that a ssh attack does not succeed.
These include whitelists or blacklists for the addresses that can
connect on ssh, limiting the users that can connect (avoid letting
"root" or other easily guessable users connect - if the user names are
hard, then an attacker needs to guess the user name as well as the
password), using ssh keys (this can be combined with passwords for extra
security), using connection limiting, using a non-standard port, using
port-knocking, and other fancy firewall setups.

Personally, I limit the ssh access (from outside the LAN - I'm a little
more flexible inside the LAN) to a single non-standard user and a
non-standard port, with connection rate limiting. Other things I have
planned, but not yet implemented, are to automatically blacklist any IP
address that tries to connect on port 22 (or various other ports, such
as windows share ports, MS Server ports, and other ports used with
well-known vulnerabilities). However, simply using a non-standard port
for ssh will probably block 99.9% of all non-targeted attacks.