[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Is it possible to hide the ip in ssh connection

On Mon, 20 Aug 2012 23:56:42 +0800
lina <lina.lastname@gmail.com> wrote:

> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
> > On 20.08.2012 18:38, lina wrote:
> >>>> How do I know who has this IP address? why s/he didn't change?
> >>>>
> >>>> You probably don't. I don't understand this second question.
> >> The second question is that for those days, the attacker should
> >> think of renew its ip address. not from the same one.
> > 
> > But we don't know is the attacker a person or a program, which is
> > running without knowledge of the owner of computer.
> Yes, it's more like a program. but the owner in this long period has
> never shutdown the computer, just a bit surprised that it keeps the
> same ip address.
> 
> > 
> 
> 

A DHCP client will normally remember its IP address, even if the lease
has expired, and on the next connection will request it again. If the
server hasn't issued it to anyone else, it will normally comply with the
request. Both server and client can be configured not to do this, but
in a Windows network it will probably happen to avoid too much need for
scavenging out-of-date DNS records. Assuming the link between DNS and
DHCP has been set up properly.

Or it may be a configured reservation in the DHCP server i.e. some form
of server itself. Or the client can be explicitly configured to request
that address, when it is available, but there's very little reason to
do that when a reservation is a guaranteed method.

Even if the attacker in this case is a human, it may be difficult or
impossible to override the network policies. Configuration of
networking is limited to people with admin credentials, unprivileged
users cannot even issue a DHCP renewal request other than by rebooting
the machine.

The quick answer here is to try: host <IP address>, which will turn up
the hostname of the offending machine if the local DNS server is
properly set up. Or to at least gain the MAC address of the machine, try
inserting an iptables rule on your machine to log incoming ssh
connections.

e.g in your INPUT chain, just before the ssh -j ACCEPT command:

iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
--log-prefix "SSH IN:"

which will normally log to syslog and also /var/log/debug. I'd have
thought the network admin would keep a list of MAC addresses on the
network. If fact, the easiest answer of all is for the admin to look at
the DHCP and DNS server records.

Or there are programs which will scan the network for hostnames, MAC
addresses and open ports, but I couldn't possibly suggest the use of
such software, which may well be a hanging offence in some places. On
the other hand, they're harbouring an ssh worm...

-- 
Joe
Reply to: