[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Is it possible to hide the ip in ssh connection

On Tuesday 21,August,2012 02:52 AM, Joe wrote:
> On Mon, 20 Aug 2012 23:56:42 +0800
> lina <lina.lastname@gmail.com> wrote:
> 
>> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote:
>>> On 20.08.2012 18:38, lina wrote:
>>>>>> How do I know who has this IP address? why s/he didn't change?
>>>>>>
>>>>>> You probably don't. I don't understand this second question.
>>>> The second question is that for those days, the attacker should
>>>> think of renew its ip address. not from the same one.
>>>
>>> But we don't know is the attacker a person or a program, which is
>>> running without knowledge of the owner of computer.
>> Yes, it's more like a program. but the owner in this long period has
>> never shutdown the computer, just a bit surprised that it keeps the
>> same ip address.
>>
>>>
>>
>>
> 
> A DHCP client will normally remember its IP address, even if the lease
> has expired, and on the next connection will request it again. If the
> server hasn't issued it to anyone else, it will normally comply with the
> request. Both server and client can be configured not to do this, but
> in a Windows network it will probably happen to avoid too much need for
> scavenging out-of-date DNS records. Assuming the link between DNS and
> DHCP has been set up properly.
> 
> Or it may be a configured reservation in the DHCP server i.e. some form
> of server itself. Or the client can be explicitly configured to request
> that address, when it is available, but there's very little reason to
> do that when a reservation is a guaranteed method.
> 
> Even if the attacker in this case is a human, it may be difficult or
> impossible to override the network policies. Configuration of
> networking is limited to people with admin credentials, unprivileged
> users cannot even issue a DHCP renewal request other than by rebooting
> the machine.
> 
> The quick answer here is to try: host <IP address>, which will turn up
> the hostname of the offending machine if the local DNS server is
> properly set up. Or to at least gain the MAC address of the machine, try
> inserting an iptables rule on your machine to log incoming ssh
> connections.
$ host 172.21.48.161
Host 161.48.21.172.in-addr.arpa. not found: 3(NXDOMAIN)

Nmap scan report for 172.21.48.161
Host is up (0.0021s latency).
Not shown: 991 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
515/tcp   open  printer
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
49154/tcp open  unknown

Thanks, I have drop it in the iptables.

> 
> e.g in your INPUT chain, just before the ssh -j ACCEPT command:
> 
> iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> --log-prefix "SSH IN:"
> 
> which will normally log to syslog and also /var/log/debug. I'd have
> thought the network admin would keep a list of MAC addresses on the
> network. If fact, the easiest answer of all is for the admin to look at
> the DHCP and DNS server records.
> 
> Or there are programs which will scan the network for hostnames, MAC
> addresses and open ports, but I couldn't possibly suggest the use of
> such software, which may well be a hanging offence in some places. On
> the other hand, they're harbouring an ssh worm...
>
Reply to: