Score:17

Server

How can I protect SSH?

Ali

11/9/22, 9:38 AM

I check /var/log/secure and I have these logs:

Jul  9 13:02:56 localhost sshd[30624]: Invalid user admin from 223.196.172.1 port 37566
Jul  9 13:02:57 localhost sshd[30624]: Connection closed by invalid user admin 223.196.172.1    port 37566 [preauth]
Jul  9 13:03:05 localhost sshd[30626]: Invalid user admin from 223.196.174.150 port 61445
Jul  9 13:03:05 localhost sshd[30626]: Connection closed by invalid user admin 223.196.174.150 port 61445 [preauth]
Jul  9 13:03:16 localhost sshd[30628]: Invalid user admin from 223.196.169.37 port 62329
Jul  9 13:03:24 localhost sshd[30628]: Connection closed by invalid user admin 223.196.169.37 port 62329 [preauth]
Jul  9 13:03:29 localhost sshd[30630]: Invalid user admin from 223.196.169.37 port 64099
Jul  9 13:03:30 localhost sshd[30630]: Connection closed by invalid user admin 223.196.169.37 port 64099 [preauth]
Jul  9 13:03:45 localhost sshd[30632]: Invalid user admin from 223.196.174.150 port 22816
Jul  9 13:03:46 localhost sshd[30632]: Connection closed by invalid user admin 223.196.174.150 port 22816 [preauth]
Jul  9 13:06:17 localhost sshd[30637]: Invalid user admin from 223.196.168.33 port 33176
Jul  9 13:06:17 localhost sshd[30637]: Connection closed by invalid user admin 223.196.168.33 port 33176 [preauth]
Jul  9 13:07:09 localhost sshd[30639]: Invalid user admin from 223.196.173.152 port 61780
Jul  9 13:07:25 localhost sshd[30641]: Invalid user admin from 223.196.168.33 port 54200
Jul  9 13:07:26 localhost sshd[30641]: Connection closed by invalid user admin 223.196.168.33 port 54200 [preauth]
...

It seems someone tries to log in by SSH. I disable login by root user and enable public/private key login, but is this a DDoS attack? And does it use RAM/CPU?

What should I do?

4074

7 + 2

linux

ssh

ddos

marcelm

11/10/22, 8:23 AM

_"I [...] enable public/private key login, ..."_ - But did you also disable password logins?

10

Reply

marcelm

11/10/22, 8:28 AM

[This answer](https://unix.stackexchange.com/a/503346/109651) may also be of interest.

0

Reply

Score:45

Server

Simon Richter

11/9/22, 10:29 AM

That's just the normal Internet background noise of people scanning for vulnerable servers.

You can add an iptables rule to rate limit incoming connections (e.g. four in four minutes) for a simple fix (but that will also lock you out if you open too many connections or someone forges SYN packets originating from your address):

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 240 --hitcount 4 --name ssh-v4 --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh-v4 --mask 255.255.255.255 --rsource -j ACCEPT

The proper solution is to use a tool like fail2ban that parses the log file for failed logins and creates firewall rules on demand -- a bit more work to set up, but it requires an established connection and a failed authentication to trigger, so it will not react to forged connection attempts or successful logins like the simple approach does.

0 + 19

njzk2

11/9/22, 9:43 PM

how about changing the ssh port?

4

Reply

Michael Hampton

11/10/22, 12:37 AM

@njzk2 It only inconveniences yourself. The bots will find your alternate ssh port sooner or later.

11

Reply

Jasen

11/10/22, 4:46 AM

More work to set up? On Debian `apt-get install fail2ban` will get you protection with reasonable defaults

3

Reply

LinuxSecurityFreak

11/10/22, 8:36 AM

@MichaelHampton There are 65535 ports, I somehow doubt the bots would take upon such range, but I may be mistaken. Do you know this for a fact?

3

Reply

Simon Richter

11/10/22, 8:37 AM

@LinuxSecurityFreak, there is [shodan](https://shodan.io).

7

Reply

Michael Hampton

11/10/22, 10:03 AM

@LinuxSecurityFreak I don't change the ssh port personally, but I've heard numerous complaints from people over the years who did and _still_ got bots trying ssh on the new port they chose, even when it was not something obvious like 2222. And of course shodan scans everything. You can be sure they aren't the only ones.

1

Reply

Jon Bentley

11/10/22, 10:59 AM

@MichaelHampton Changing the port will get rid of *some* bots. Also, in what way is it inconvenient (beyond the initial setup)?

1

Reply

hardillb

11/10/22, 2:21 PM

@jonbentley having to remember to change it in every client you want to use to connect. Security by Obscurity is no security at all, you can rent a couple of AWS machines for less than $50 that will scan the entire IPv4 address space in a couple of hours. Better to just block the offenders than try and hide from them

3

Reply

Jon Bentley

11/10/22, 2:58 PM

@hardillb "having to remember" - that seems very use-case specific. I would think most people are not switching to new clients too frequently (or if they are the provisioning is probably within their control), and can simply store the settings once and then forget about it (using e.g. Ansible or Stow if you provision new machines frequently). "Security by obsurity is no security" is a common misconception. *By itself* it is no security, but it is a valid part of defence in depth and can give some mild benefits when used correctly.

2

Reply

Jason

11/11/22, 12:32 AM

@LinuxSecurityFreak re: "There are 65535 ports, I somehow doubt the bots would take upon such range" - I doubted it too, until I saw a client that had moved the port to something like 20502. It was published on shodan.io as an open port and the service was correctly identified. Impressive. And sobering.

1

Reply

Christopher Schultz

11/11/22, 2:37 AM

I had an infrastructure operator recommend to me that I change sshd ports long ago, and I thought it was complete garbage, like just many of the comments, here, but I did it anyway. And we still get junk. But compared to the servers where we _havent_ changed, the ports, they're practically idle. It's been 15 years and no amount of Shodan-fu has pointed a large number of bots at our servers. YMMV. This is *not* security by obscurity. It's merely obscurity. The security comes from using strong ssh keys for authentication and not passwords. Also +1 for fail2ban :)

11

Reply

slebetman

11/12/22, 3:32 AM

@LinuxSecurityFreak Look at the question. That bot was trying on different ports. Not port 22. So for the OP he's already facing a bot that is specifically scanning ports and not trying to ssh on port 22

0

Reply

Pelle

11/12/22, 9:38 AM

I'd not go for the blind rate-limit shown, this makes it far to easy to be DoS-ed out of your server, even by random scanning.

0

Reply

John Mee

11/12/22, 10:52 AM

Actual personal experience here: changing the port number whilst not a real solution definitely works to lower the risk... at least on minor hosts. Combined with Key authentication was least effort to reward ratio - two lines changed and a nervous restart.

0

Reply

Simon Richter

11/12/22, 11:51 AM

@Pelle, the rate limit is per source IP, so it's "only" vulnerable to targeted denial of service.

0

Reply

Austin Hemmelgarn

11/12/22, 12:45 PM

@hardillb Yes, it’s just obscurity, but obscurity is often enough to deter a nontrivial percentage of attacks here. Unless you’re actively being targeted, most bots are not going to try any alternate ports at all (speaking from more than a decade of experience here), so simply changing the port, even if it’s a change to an ‘obvious’ alternate port, is enough to cut down significantly on the number of attackers that are actually a threat.

0

Reply

user

11/12/22, 12:49 PM

@slebetman That's the client port, it has nothing to do with the server port since if it was checking on different ports for the server, it wouldn't show up in the SSH logs.

0

Reply

Pelle

11/12/22, 2:29 PM

@SimonRichter: In that case, carry on :-)

0

Reply

canton7

11/12/22, 4:20 PM

Another bit of personal experience: fail2ban achieves next to nothing in practice here. All of the SSH scanning I get is from botnets, where each remote host only attempts 1 or 2 logins, which isn't enough to trigger fail2ban (you can see this in OP's log, as well). Disable password login and only use public key auth.

0

Reply

Score:9

Server

Samuel Prevost

11/10/22, 4:21 PM

As @Simon Richter mentionned, that's just internet background noise and you shouldn't worry. A few things you have to make sure are that:

You don't allow password-based authentication but only public key auth
You can disable unsafe and poorly designed ciphers, remove small Diffie-Hellman moduli and other cryptographic improvements
You can install fail2ban

Changing the port will make the problem go away, but it's security through obscurity and it can create the illusion of safety while providing none.

Here are a few other recommendations surrounding SSH, as well as counter arguments to mainstream "best practices" arguments.

0 + 0

Score:3

Server

Criggie

11/11/22, 1:01 PM

Are you in India? All those IP addresses listed are in the block:

223.196.160.0 - 223.196.191.255

which according to the WHOIS database is allocated to

descr:   Andhra Pradesh State FiberNet Limited
address: 10-2-1,III Floor, FDC Complex,AC Guards,Hyderabad,Andhra Pradesh-500028

One short-term solution is to block the whole block 223.196.160.0/19 at the firewall, but that is micromanaging IP addresses and becomes an uphill battle.

Instead you could deny ALL ssh except for the source IPs that you know are trusted. Simply take care to not lock yourself out of your own host. If you don't have a static IP, you can permit a block, or possibly look at running a VPN server on the host.

Or if you don't need to permit SSH connections from the internet, just deny them and only reenable when its required.

0 + 1

user10489

11/11/22, 1:50 PM

Or use port knocking to whitelist yourself when your IP changes.

1

Reply

Score:1

Server

user996142

11/12/22, 12:17 AM

Use only key-based auth. Many bots only attack password-based systems. Using password-based auth is bad idea anyway.
Use https://www.sshguard.net/ : it blocks IPs after a couple of failed logins.
Use random port (not 22), it will stop some bots.
Make sure your system doesn't permit root login
If you only login from your home, consider only open SSH for your IP/ISP or country.

0 + 0

Score:1

Server

HatLess

11/11/22, 1:48 PM

Here is a simple script I wrote to block all unauthorized attempts at logging into my dev server.

#!/bin/bash

ban=$HOME/banned.txt
b_log=/var/log/banned.log

log () {
cat $ban | uniq >>  $b_log
}

l_log () {
lastb | awk '{ print $3 }' | sed -r '/(Mon|Tue|Wed|Thu|Fri|Sat|Sun|boot|tty2)/d' | sort | sed '/^$/d' | uniq | tee $ban
}

drop () {
for x in $(cat $ban); do iptables -A INPUT -s $x -j DROP; done
}

l_log
drop
log
rm -f $ban
echo > /var/log/btmp
iptables-save

If you set the script to run via cron every minute, it will dramatically reduce the noise in your logs and block offending IPs giving them just 1 minute to attempt their brute force before being blocked.

It would be a good idea to insert your IP and any other IPs you access your server with to your firewall iptables -I INPUT -s xxx.xx.xxx.xx -j ACCEPT

A log of all IPs banned will be generated.

0 + 3

Criggie

11/11/22, 7:35 PM

So you're taking the output logs of fail2ban, and permanently dropping those source IPs using iptables rules? Why not just tweak iptables to leave the bad addresses blocked for longer? You're also at risk of blocking your local IPs if you mis-key a password or similar, whereas fail2ban has "don't ever block these ranges" options.

0

Reply

HatLess

11/11/22, 7:45 PM

No. I do not use fail2ban, just iptables. I am getting my input from `lastb`, the last failed log ins, then extracting just the IPs and dropping them.

1

Reply

iBug

11/12/22, 5:02 PM

Sounds like you're reinventing fail2ban. F2B is already a comprehensive tool for exactly this task, no reason to refuse it.

2

Reply

Score:1

Server

cyqsimon

11/12/22, 1:49 PM

1. Change your `sshd` listening port

As simple as it sounds, changing your port from the default 22 to a custom value (e.g. 2200) on a public IP could reduce the number of port scans from thousands a day to a few dozen. For a tutorial see here.

That being said, while this does reduce the annoyance of being port-scanned, it DOES NOT provide real security. "Security by obscurity" is a myth and nothing more.

2. Use public key login and disable password login

Bots might guess a password right, but they're never going to guess a private key right. As long as you use modern algorithms and don't leak your key accidentally. For a tutorial see here.

Note that this does mean you will no longer be able to login from any random machine, unless you carry the key with you (which you need to secure via some other way).

3. Use fail2ban

If they fail 5 times, ban them from trying again for a day or something. That'll show them. Very effective against brute force attempts. For a tutorial see here.

The downside is that you might lock yourself out if you've got wobbly fingers one day (drunk or something, I don't know).

4. Pre-ban a list of IPs known for abusive use

Sources like AbuseIPDB maintain big lists of known malicious IPs accessible via API. You will need an API key to use it, but you can register a free account easily enough. Pull the list and use something like iptables to ban those known IPs in bulk. Set up a cron job to automate it periodically for best effect. Here's a very simple script I wrote (and am personally using) to do just that. Feel free to use it as reference, but DON'T USE IT IN PRODUCTION.

In my personal experience, this method is equally effective (if not more so) as method #3.

Personally, I use all 4 methods listed above, and my VPS might get one or two malicious login attempts in my security log at most, in a bad month. Here's the interception history of iptables via method #4:

$ abip-hist
Chain abip-ban (1 references)
 pkts bytes target     prot opt in     out     source               destination
  362 14480 DROP       all  --  *      *       45.143.200.6         0.0.0.0/0
  307 12280 DROP       all  --  *      *       185.156.73.104       0.0.0.0/0
  288 12672 DROP       all  --  *      *       212.133.164.75       0.0.0.0/0
  277 19911 DROP       all  --  *      *       146.88.240.4         0.0.0.0/0
  250 11000 DROP       all  --  *      *       212.133.164.14       0.0.0.0/0
  230  9200 DROP       all  --  *      *       45.146.164.213       0.0.0.0/0
  215  8600 DROP       all  --  *      *       185.156.73.67        0.0.0.0/0
  214  8560 DROP       all  --  *      *       5.188.206.18         0.0.0.0/0
  202  8080 DROP       all  --  *      *       193.27.228.63        0.0.0.0/0
  201  8040 DROP       all  --  *      *       193.27.228.64        0.0.0.0/0
  199  7960 DROP       all  --  *      *       193.27.228.59        0.0.0.0/0
  197  7880 DROP       all  --  *      *       193.27.228.65        0.0.0.0/0
  197  7880 DROP       all  --  *      *       193.27.228.61        0.0.0.0/0
  196  7840 DROP       all  --  *      *       45.135.232.119       0.0.0.0/0
  196  7840 DROP       all  --  *      *       193.27.228.60        0.0.0.0/0
  196  7840 DROP       all  --  *      *       193.27.228.58        0.0.0.0/0
  189  7560 DROP       all  --  *      *       45.146.165.149       0.0.0.0/0
  184  7360 DROP       all  --  *      *       45.155.205.247       0.0.0.0/0
  184  7360 DROP       all  --  *      *       195.54.160.228       0.0.0.0/0
  182  7280 DROP       all  --  *      *       45.143.203.12        0.0.0.0/0
  181  7240 DROP       all  --  *      *       45.141.84.57         0.0.0.0/0
  180  7200 DROP       all  --  *      *       45.135.232.85        0.0.0.0/0
  176  7040 DROP       all  --  *      *       45.146.165.148       0.0.0.0/0
...
this goes on for 1700 lines...

$ uptime
06:36:49 up 16 days, 15:24

0 + 1

Z4-tier

11/12/22, 4:56 PM

+1 for "change your port". Just don't change it to something equally as attractive (or more) to a would-be attacker. Use an obscure, unassigned, higher-numbered port; something above 10000. I used to run ssh on 23 (the telnet port) just for *ha-ha's* and wow did that get a lot of connections.

0

Reply

Score:0

Server

lev

11/12/22, 1:07 PM

As other answers mentioned, you don't need to worry to much about it, but if you do want to add another layer of security, you can try using port knocking.

The idea is to keep the ssh port closed, and only open it to ips, that perform a specific sequence of operation prior, something like:

syn port 1000
syn port 2000
syn port 3000
# ssh port is now open
ssh ...

can get more details here: https://www.rapid7.com/blog/post/2017/10/04/how-to-secure-ssh-server-using-port-knocking-on-ubuntu-linux/