Re: ssh access with all ports close.

To: debian-user@lists.debian.org
Subject: Re: ssh access with all ports close.
From: john doe <johndoe65534@mail.com>
Date: Thu, 10 Dec 2020 08:57:06 +0100
Message-id: <[🔎] 00a864f9-ddbe-6101-3a53-90b26eaace2b@mail.com>
In-reply-to: <[🔎] c1ae92fe1734edf9e7c0087da73cd6a9.squirrel@mail.vcn.bc.ca>
References: <[🔎] a0cfa318465936f58043b981d941e602.squirrel@mail.vcn.bc.ca> <[🔎] 87r1nyl7tf.fsf@dhh.gt.org> <[🔎] c1ae92fe1734edf9e7c0087da73cd6a9.squirrel@mail.vcn.bc.ca>

On 12/10/2020 6:40 AM, latincom@vcn.bc.ca wrote:

latincom writes:

I am not able to access my server at home using ssh, but i can see in
logs, that someone can access my home server!


What, exactly, are you seeing?  Copy and paste examples.
--
John Hasler
jhasler@newsguy.com
Elmwood, WI USA


Dec  9 20:48:58 xxx sshd[4945]: Failed password for invalid user greengo
from 49.235.125.17 port 43200 ssh2

Dec  9 20:48:58 xxx sshd[4948]: Invalid user mysql from 13.74.46.65 port
56021

Dec  9 20:48:58 xxx sshd[4948]: pam_unix(sshd:auth): check pass; user unknown

Dec  9 20:48:58 xxx sshd[4948]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=13.74.46.65

Dec  9 20:48:59 xxx sshd[4945]: Received disconnect from 49.235.125.17
port 43200:11: Bye Bye [preauth]

Dec  9 20:48:59 xxx sshd[4945]: Disconnected from invalid user greengo
49.235.125.17 port 43200 [preauth]

Dec  9 20:49:00 xxx sshd[4948]: Failed password for invalid user mysql
from 13.74.46.65 port 56021 ssh2

Dec  9 20:49:01 xxx sshd[4948]: Received disconnect from 13.74.46.65 port
56021:11: Bye Bye [preauth]

Dec  9 20:49:01 xxx sshd[4948]: Disconnected from invalid user mysql
13.74.46.65 port 56021 [preauth]


From (1), I would suggest adding the below three options in
/etc/ssh/sshd_config:

"MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection. Once the number of failures reaches half this value,
additional failures are logged. The default is 6.
MaxSessions
Specifies the maximum number of open sessions permitted per network
connection. The default is 10.
MaxStartups
Specifies the maximum number of concurrent unauthenticated connections
to the SSH daemon. Additional connections will be dropped until
authentication succeeds or the LoginGraceTime expires for a connection.
The default is 10.
Alternatively, random early drop can be enabled by specifying the three
colon separated values ''start:rate:full'' (e.g. "10:30:60"). sshd(8)
will refuse connection attempts with a probability of ''rate/100'' (30%)
if there are currently ''start'' (10) unauthenticated connections. The
probability increases linearly and all connection attempts are refused
if the number of unauthenticated connections reaches ''full'' (60)."


Also adding the below line might be useful:

AllowUsers <USER-NAME>


If you have a firewall, try to limit the connection there as well (2).
It looks like you are using password auth, if yes, consider using key
instead.


1) https://linux.die.net/man/5/sshd_config
2)
https://serverfault.com/questions/275669/ssh-sshd-how-do-i-set-max-login-attempts

--
John Doe

Reply to:

References:
- ssh access with all ports close.
  - From: latincom@vcn.bc.ca
- Re: ssh access with all ports close.
  - From: John Hasler <jhasler@newsguy.com>
- Re: ssh access with all ports close.
  - From: latincom@vcn.bc.ca

Prev by Date: Re: ssh tunnelling testing [solved]
Next by Date: Re: VPN ideas
Previous by thread: Re: ssh access with all ports close.
Next by thread: Re: ssh access with all ports close.
Index(es):
- Date
- Thread