Join Log in
Score:0
avatar Ubuntu

How to prevent unauthorized ssh login attempts

us flag
jedo-tm

I discovered a lot of unauthorized login attempts in /var/log/auth.log

...
Sep 26 22:15:34 hostname sshd[3072475]: Failed password for invalid user user from x.y.z.w port 51056 ssh2
Sep 26 22:15:39 hostname sshd[3072519]: Failed password for invalid user user from x.y.z.w  port 62354 ssh2
Sep 26 22:16:51 hostname sshd[3072643]: Failed password for invalid user user from x.y.z.w port 10596 ssh2
...

I am puzzled why this happens, since I have configured portforwarding on my internet router (zyxel VMG3925-B10B) so that e.g. port 54321 is mapped to port 22 on internal ip address of my ubuntu-box.

If I try to ssh-login from outside home - so using an outside IP to anything but port 54321 I will get rejected. So why is it possible for somebody to get though my router firewall to the internal ip of my ubuntu box.

I realize that this question potentially is more a question for the manufacturer of my router. However my it-security knowledge is somewhat limited and i would like to hear other peoples strategies

142
0 + 0
ssh
waltinator avatar
it flag
waltinator
Back when I was in computer security, i ALWAYS did my `nmap` reconnaissance scans on ports 1-65535 (all of them). Simply using port 54321 hides nothing. There is a package called `fail2ban` that might help
3
Reply
Score:2
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

By poking around, the bad guys have found out that your external port 54321 is your ssh access port. The ports listed in your log are their source ports, not the destination ports. You should find that ssh login attempts on your port 54321 occur at a much much lower rate than if it were port 22.

You can mitigate the issue via iptables rules, or fail2ban (however it is spelled), or other. I use the recent module in itpables:

# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
#$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --mask $BIT_MASK --set --name BADGUY_SSH -j ACCEPT

I now use a BIT_MASK (currently "255.255.252.0"), because attackers have become clever and often merely switch to another ip address on the same sub-net. $EXTIF is my WAN facing NIC.

0 + 0
us flag
jedo-tm
Hi @Doug Thanks for your answers. I started by installing fail2ban, which seems like a good start. So far I have relied on ufw with a few rules for opening some ports. I like the idea that you posted, where iptables are used with bitmask. I tried looking up how to set up iptables. It looked as if iptables rules are cleared on reboot unless you do something like ``` apt-get install iptables-persistent ``` but may i ask how you configure and preserve the iptables rules? I wouldn't be able to remember this. Where do you store files that contain e.g . $BIT_MASK and rules
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
I use a script to load my iptables rules after boot. It is called from a post-boot service. By using a script I can also deal with some directly related stuff that isn't actually iptables. I am not a fan of `iptables-persistent`.
0
Reply
us flag
jedo-tm
Thanks @dough :)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.