Hi there, O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me. Anyone else see this ssh attemptives? Is it normal? sshd[27004]: Failed password for root from 45.91.226.235 port 41012 ssh2 sshd[27004]: Received disconnect from 45.91.226.235 port 41012:11: Bye Bye [preauth] sshd[27004]: Disconnected from authenticating user root 45.91.226.235 port 41012 [preauth] sshd[27006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.36.253.227 user=root It's many different ips and trying to access in many different ports. Thank you!
Happens on all internet-facing ssh daemons. Independently of tor. On 3/31/21 6:35 PM, Cristiano Kubiaki Gomes wrote:
Hi there, O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me.
Anyone else see this ssh attemptives? Is it normal?
sshd[27004]: Failed password for root from 45.91.226.235 port 41012 ssh2 sshd[27004]: Received disconnect from 45.91.226.235 port 41012:11: Bye Bye [preauth] sshd[27004]: Disconnected from authenticating user root 45.91.226.235 port 41012 [preauth] sshd[27006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.36.253.227 user=root
It's many different ips and trying to access in many different ports.
Thank you!
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 31 March 2021, Cristiano Kubiaki Gomes wrote:
O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me.
I think that's normal for every host on the internet! A tool like Fail2ban¹ does a good job with those probes; anything else that's recommended for securing a machine will also help. Bill ¹ https://www.fail2ban.org/wiki/index.php/Main_Page -- William Denton :: Toronto, Canada --- Listening to Art: https://listeningtoart.org/ https://www.miskatonic.org/ --- GHG.EARTH: https://ghg.earth/ Caveat lector. --- STAPLR: https://staplr.org/
Thank you for the explanation. I also found this (old) article that explains the lifecycle of a new relay https://blog.torproject.org/lifecycle-new-relay I just set up my first Relay and soon it will be helping the Tor network. With time I will be able to start others. All the best! Em qui., 1 de abr. de 2021 às 00:41, William Denton <wtd@pobox.com> escreveu:
On 31 March 2021, Cristiano Kubiaki Gomes wrote:
O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me.
I think that's normal for every host on the internet! A tool like Fail2ban¹ does a good job with those probes; anything else that's recommended for securing a machine will also help.
Bill
¹ https://www.fail2ban.org/wiki/index.php/Main_Page -- William Denton :: Toronto, Canada --- Listening to Art: https://listeningtoart.org/ https://www.miskatonic.org/ --- GHG.EARTH: https://ghg.earth/ Caveat lector. --- STAPLR: https://staplr.org/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 31.03.2021 18:35, Cristiano Kubiaki Gomes wrote:
Hi there, O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me.
Anyone else see this ssh attemptives? Is it normal? Yes.
sshd[27004]: Failed password for root from 45.91.226.235 port 41012 ssh2 Disable root login! (First: "adduser UserName")
sshd[27004]: Received disconnect from 45.91.226.235 port 41012:11: Bye Bye [preauth] sshd[27004]: Disconnected from authenticating user root 45.91.226.235 port 41012 [preauth] sshd[27006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.36.253.227 user=root Disable password login! Use SSH-Key Auth.
https://docs.ovh.com/gb/en/vps/tips-for-securing-a-vps/
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Move SSH from port 22 Certificate only, deny passwords gets rid of most of this from the kiddies From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Cristiano Kubiaki Gomes Sent: 31 March 2021 17:36 To: tor-relays@lists.torproject.org Subject: [tor-relays] Many SSH requests Hi there, O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me. Anyone else see this ssh attemptives? Is it normal? sshd[27004]: Failed password for root from 45.91.226.235 port 41012 ssh2 sshd[27004]: Received disconnect from 45.91.226.235 port 41012:11: Bye Bye [preauth] sshd[27004]: Disconnected from authenticating user root 45.91.226.235 port 41012 [preauth] sshd[27006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.36.253.227 user=root It's many different ips and trying to access in many different ports. Thank you!
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, March 31, 2021 9:35 AM, Cristiano Kubiaki Gomes <cristianockg@gmail.com> wrote:
O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me. Anyone else see this ssh attemptives? Is it normal?
Yup, it's background radiation on the Internet. We all get them. If SSH key authentication only isn't enabled, turn it on. Change the port sshd is listening on. Set up fail2ban to further protect the new port (I get a lot of portscans hammering my nodes looking for the new sshd port followed by brute force attempts, so may as well cut 'em off at the knees). Or set up a hidden service for sshd on the box and reconfigure it to listen on the loopback only. You'll only be able to SSH in over the Tor network after that, but it'll cut the login attempts way down. The Doctor [412/724/301/703/415/510] WWW: https://drwho.virtadpt.net/ The old world is dying, and the new world struggles to be born. Now is the time of monsters.
Thank you all for the recommendation. It took some time but I think I am relatively safer now. And also learned a lot. Much appreciated. All the best! On Fri 2 Apr 2021 at 11:40, The Doctor [412/724/301/703/415/510] < drwho@virtadpt.net> wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, March 31, 2021 9:35 AM, Cristiano Kubiaki Gomes < cristianockg@gmail.com> wrote:
O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me. Anyone else see this ssh attemptives? Is it normal?
Yup, it's background radiation on the Internet. We all get them.
If SSH key authentication only isn't enabled, turn it on. Change the port sshd is listening on. Set up fail2ban to further protect the new port (I get a lot of portscans hammering my nodes looking for the new sshd port followed by brute force attempts, so may as well cut 'em off at the knees).
Or set up a hidden service for sshd on the box and reconfigure it to listen on the loopback only. You'll only be able to SSH in over the Tor network after that, but it'll cut the login attempts way down.
The Doctor [412/724/301/703/415/510] WWW: https://drwho.virtadpt.net/ The old world is dying, and the new world struggles to be born. Now is the time of monsters.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Cristiano Kubiaki Telegram <https://telegram.me/cris_kubiaki> | LinkedIn <https://www.linkedin.com/in/cristianokubiaki/> | Twitter <https://twitter.com/criskubiaki> ITIL - MCP - MCDST - MCTS - DCSE
Hi, Only allow public key authentication (preferably avoiding RSA, DSA and ECDSA keys and just going for an Ed25519 one), disabling root login and then creating an unprivileged user to work on the machine which will be added to the AllowUsers directive in sshd_config will make brute-forcing obsolete. You might still want to move the port from 22 to anything random from 1024-65535 to get rid of the frequent log entries caused by servers scanning for outdated or vulnerable sshd instances. - William On 02/04/2021, Cristiano Kubiaki Gomes <cristianockg@gmail.com> wrote:
Thank you all for the recommendation. It took some time but I think I am relatively safer now.
And also learned a lot. Much appreciated.
All the best!
On Fri 2 Apr 2021 at 11:40, The Doctor [412/724/301/703/415/510] < drwho@virtadpt.net> wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, March 31, 2021 9:35 AM, Cristiano Kubiaki Gomes < cristianockg@gmail.com> wrote:
O noticed many ssh requests to my Debian VM running a Relay and I am wondering if this is normal or if this is happening only with me. Anyone else see this ssh attemptives? Is it normal?
Yup, it's background radiation on the Internet. We all get them.
If SSH key authentication only isn't enabled, turn it on. Change the port sshd is listening on. Set up fail2ban to further protect the new port (I get a lot of portscans hammering my nodes looking for the new sshd port followed by brute force attempts, so may as well cut 'em off at the knees).
Or set up a hidden service for sshd on the box and reconfigure it to listen on the loopback only. You'll only be able to SSH in over the Tor network after that, but it'll cut the login attempts way down.
The Doctor [412/724/301/703/415/510] WWW: https://drwho.virtadpt.net/ The old world is dying, and the new world struggles to be born. Now is the time of monsters.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Cristiano Kubiaki Telegram <https://telegram.me/cris_kubiaki> | LinkedIn <https://www.linkedin.com/in/cristianokubiaki/> | Twitter <https://twitter.com/criskubiaki> ITIL - MCP - MCDST - MCTS - DCSE
participants (7)
-
Cristiano Kubiaki Gomes -
gerard@bulger.co.uk -
lists@for-privacy.net -
Random Tor Node Operator -
The Doctor [412/724/301/703/415/510] -
William Denton -
William Kane