Dear all,
Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected?
Best regards Marcus
On Sep 4, 2018, at 8:40 AM, Natus natus@riseup.net wrote:
Use some tool like fail2ban and/or ssh key authentication.
Also change the default port of your ssh endpoint (eg: 2222)
Using an obscure port only prevents attempts being logged, nothing else. And if you’re going to use an alternate port, pick one under 1024. Make it so an attacker needs to be root before they replace your sshd process.
On 04.09.2018 14:44, Sean Brown wrote:
Using an obscure port only prevents attempts being logged, nothing else.
I cannot agree with that. What an sshd logs is not determined by the port number it is listening on, and the quantity of failed login attempts across my servers is measurably lower when using a non-standard port.
-Ralph
On Sep 4, 2018, at 9:06 AM, Ralph Seichter m16+tor@monksofcool.net wrote:
On 04.09.2018 14:44, Sean Brown wrote:
Using an obscure port only prevents attempts being logged, nothing else.
I cannot agree with that. What an sshd logs is not determined by the port number it is listening on, and the quantity of failed login attempts across my servers is measurably lower when using a non-standard port.
Ya, my mistake, I wasn’t clear. I don’t mean that sshd doesn’t log if it’s on a different port, I mean that only the worst bots won’t find it, cutting down on the amount of noise in the logs. If ssh is configured correctly (disable password, 2fa, keys etc.) password attempts are just noise.
Using an obscure port only prevents attempts being logged, nothing else.
And if you’re going to use an alternate port, pick one under 1024. Make it so an attacker needs to be root before they replace your sshd process. If you take that approach, make sure you are using a hardware firewall blocking inbound connections to ports above 1024.
Also SSH Keys, password auth disabled is enough - you don't even need to change your SSH port :D
On Tue, Sep 4, 2018 at 8:44 AM Sean Brown just@bumponalog.info wrote:
On Sep 4, 2018, at 8:40 AM, Natus natus@riseup.net wrote:
Use some tool like fail2ban and/or ssh key authentication.
Also change the default port of your ssh endpoint (eg: 2222)
Using an obscure port only prevents attempts being logged, nothing else. And if you’re going to use an alternate port, pick one under 1024. Make it so an attacker needs to be root before they replace your sshd process. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thanks Paul, I use fai2ban, but this amount of failed logins is new to me. Marcus
-- Mein öffentliches Zertifikat finden Sie unter: https://web.tresorit.com/l#tDLNPX-QlTRTcpMEqRRSng Am 04.09.2018 um 14:38 schrieb Paul Templeton paul@coffswifi.net:
Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected?
Yes - it's constant 3-5 attempts per second - that's normal. Use some tool like fail2ban and/or ssh key authentication.
Paul _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 09/04/2018 03:41 PM, Marcus wrote:
Thanks Paul, I use fai2ban, but this amount of failed logins is new to me. Marcus
The failed logins are business as usual. If the machine is on the net, then bots will find it no matter where it is or which port it listens on. But they usually move on after a while, too.
While running fail2ban/sshguard helps, and changing the port helps slightly, the biggest change you can make if you haven't done it already is to use key-based authentication and turn off password based authentication, at least for the outward facing address(es) on your box. It seems that many bots can tell when the SSH daemon will not respond to passwords and move on without trying to actually log in.
/Lars
Marcus Wahle:
Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected?
I'd say that is business as usual and not much to worry about if you use strong authentication
FWIW I found sshguard easier to deal with on FreeBSD than fail2ban.
Turn off password logins and take good care of your ssh keys. Moving sshd to a different port is a waste of time but harmless if you’re the only administrator.
—mkb
On Sep 4, 2018, at 5:35 AM, Marcus Wahle torproject@mailbox.org wrote:
Dear all,
Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected?
Best regards Marcus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Waste of time move SSH port? My fail2ban has hardly anything to do since moving port some time back. Very rarely does it see any attempts on my new odd number SSH port, but on port 22 the attacks were continuous. I agree in terms of security for a determined hacker moving port does nothing.
Gerry -----Original Message----- From: tor-relays tor-relays-bounces@lists.torproject.org On Behalf Of Michael Brodhead Sent: 04 September 2018 18:36 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] SSH login attempts
FWIW I found sshguard easier to deal with on FreeBSD than fail2ban.
Turn off password logins and take good care of your ssh keys. Moving sshd to a different port is a waste of time but harmless if you’re the only administrator.
—mkb
On Sep 4, 2018, at 5:35 AM, Marcus Wahle torproject@mailbox.org wrote:
Dear all,
Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected?
Best regards Marcus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, 4 Sep 2018 18:44:55 +0100 gerard@bulger.co.uk wrote:
Waste of time move SSH port? My fail2ban has hardly anything to do since moving port some time back
Yes, it is. And you might as well remove fail2ban altogether if you simply have key-based auth and disable passwords.
Hello Marcus,
On an ongoing basis, most of my relays get up to 4000 attempts each day. It's standard practice I guess! Many, many are from just a few IP addresses. The rest are just a few per IP address. Occasionally, I will go beyond the fail2ban "ban" and block an IP address in iptables via ufw. I then unblock that IP address in a week or two. I set fail2ban for long blocks maybe up to 12 hours (43000-seconds).
So, harden your operating system as best you can. SSH works but disable the password entry, X11, etc. if possible. This is always safe if your provider has a dashboard for you to use as a secondary access to the server. I change my SSH port number but that only slows the professionals my minutes or seconds. Remember to change the fail2ban SSH port number if you do that. Your host provider should have DDoS protection for his/her entire plant.
And don't sweat it! Learn from the experiences.
On 9/4/2018 5:35 AM, Marcus Wahle wrote:
Dear all,
Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected?
Best regards Marcus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
arisbe -
gerard@bulger.co.uk -
I -
Lars Noodén -
Marcus -
Marcus Wahle
-
Michael Brodhead -
Nathaniel Suchy -
Natus -
nusenu -
Paul Templeton -
Ralph Seichter -
Roman Mamedov -
Sean Brown