LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSHD illegal users (https://www.linuxquestions.org/questions/linux-newbie-8/sshd-illegal-users-746669/)

qwertyjjj 08-11-2009 04:26 AM

SSHD illegal users
 
Got this in logwatch:
Code:

Illegal users from:
    190.2.12.113 (customer-static-2-12-113.iplannetworks.net): 36 times
    200.29.234.100 (proxy.rebujia.com.co): 7 times
    218.75.78.86: 1 time
 reverse mapping checking getaddrinfo for customer-static-2-12-113.iplannetworks.net failed - POSSIBLE BREAK-IN ATTEMPT! : 40 time(s
 reverse mapping checking getaddrinfo for proxy.rebujia.com.co failed - POSSIBLE BREAK-IN ATTEMPT! : 7 time(s)

Anything to be worried about?
I have code in my iptables that limits SSH logins to 8 per minute.
)

unSpawn 08-11-2009 06:13 AM

Quote:

Originally Posted by qwertyjjj (Post 3638938)
Anything to be worried about?

In computing something is on or it is off, a condition exists or it doesn't, there's no need for fuzzy human "worrying". If you would say "what is the risk?" then I'd say it depends on you implementing the measures I already offered.


Quote:

Originally Posted by qwertyjjj (Post 3638938)
I have code in my iptables that limits SSH logins to 8 per minute.

8 p/m is way too lenient IMHO, I'd go for 2.

centosboy 08-11-2009 06:27 AM

Quote:

Originally Posted by qwertyjjj (Post 3638938)
Got this in logwatch:
Code:

Illegal users from:
    190.2.12.113 (customer-static-2-12-113.iplannetworks.net): 36 times
    200.29.234.100 (proxy.rebujia.com.co): 7 times
    218.75.78.86: 1 time
 reverse mapping checking getaddrinfo for customer-static-2-12-113.iplannetworks.net failed - POSSIBLE BREAK-IN ATTEMPT! : 40 time(s
 reverse mapping checking getaddrinfo for proxy.rebujia.com.co failed - POSSIBLE BREAK-IN ATTEMPT! : 7 time(s)

Anything to be worried about?
I have code in my iptables that limits SSH logins to 8 per minute.
)

should you worry? yes and no.
these are just attempts to get in....but then no one is ever successful without first attempting ;)

set the AllowUsers keyword.
run sshd on a port different then 22.
allow root login - turn off
use dsa keys
turn off password auth
so many things you can do to lock it down properly..
but it looks like someone has already advised you of all these?

qwertyjjj 08-11-2009 07:29 AM

Quote:

Originally Posted by centosboy (Post 3639087)
should you worry? yes and no.
these are just attempts to get in....but then no one is ever successful without first attempting ;)

set the AllowUsers keyword.
run sshd on a port different then 22.
allow root login - turn off
use dsa keys
turn off password auth
so many things you can do to lock it down properly..
but it looks like someone has already advised you of all these?

But for AllowUsers, I'd have t allow root wouldn't I or I couldn't do many of the changes I need to on the server?

Is the SSH listening port in SSH config file?

what are dsa keys and password auth?

pwc101 08-11-2009 07:34 AM

Quote:

Originally Posted by qwertyjjj (Post 3639156)
But for AllowUsers, I'd have t allow root wouldn't I or I couldn't do many of the changes I need to on the server?

Why not ssh in as an unprivileged user, then su - to root?
Quote:

Originally Posted by qwertyjjj (Post 3639156)
Is the SSH listening port in SSH config file?

Have you looked?

nuwen52 08-11-2009 07:41 AM

Quote:

Originally Posted by qwertyjjj (Post 3639156)
But for AllowUsers, I'd have t allow root wouldn't I or I couldn't do many of the changes I need to on the server?

Is the SSH listening port in SSH config file?

what are dsa keys and password auth?

You do not have to allow root to log in to allow a user to su to root. Disallowing root login makes someone log in as themselves and then become root, which creates an entry in the log files.

ssh port is in the sshd config file.

Disallowing password auth means that the user must log in from a trusted account/machine. They won't need a password, but it will be from a account/machine that you know should only have allowed access, because the user has to have a pre-shared key.

DSA and RSA are the two keys usable in ssh. DSA is generally more secure, last I knew.

Please take a look at the sshd config file to get a better idea of your options.

zhjim 08-11-2009 07:41 AM

Another thing to read on: http://www.fail2ban.org/wiki/index.php/Main_Page

qwertyjjj 08-11-2009 08:42 AM

Brilliant, I've know locked myself out of the server by changing the port and even though I added a firewall rule something has messed.
Argh :(

qwertyjjj 08-11-2009 08:55 AM

Right I got it back using KVM.
Now when I edit the SSH port, do you just put in:
Port 1234
for example?

My kiptables rules were changed to:
Code:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT



EDIT: oops, I was chaging the ssh config file not the sshd config file :(

qwertyjjj 08-11-2009 09:12 AM

You do not have to allow root to log in to allow a user to su to root. Disallowing root login makes someone log in as themselves and then become root, which creates an entry in the log files.
If I create a new user, what permissions do you give them?
To then login as root is it just su root?
So effectively you have a user login and password and then a 2nd root and password?

ssh port is in the sshd config file.

Disallowing password auth means that the user must log in from a trusted account/machine. They won't need a password, but it will be from a account/machine that you know should only have allowed access, because the user has to have a pre-shared key.
Can't do this as the IP address on my computer is dynamic or am I missing something here? Is a key used instead of the password? Effectively the same process then isn't it?

DSA and RSA are the two keys usable in ssh. DSA is generally more secure, last I knew.

Please take a look at the sshd config file to get a better idea of your options.

centosboy 08-11-2009 09:15 AM

Quote:

Originally Posted by qwertyjjj (Post 3639260)
Right I got it back using KVM.
Now when I edit the SSH port, do you just put in:
Port 1234
for example?

My kiptables rules were changed to:
Code:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT



EDIT: oops, I was chaging the ssh config file not the sshd config file :(

i would only ever recommend playing with this stuff locally unless you have another way in.

all the directives you need are in sshd_config

man sshd_config.

it is always good that you have some kind of test server to test out how this all works for you before putting it out live on a production server.

qwertyjjj 08-11-2009 09:25 AM

I created a user testuser with password
then added AllowUsers testuser in the config file
However, whenever I login with this user it says access denied after the password.

?

qwertyjjj 08-11-2009 09:58 AM

I think I am comfortable having a root password of 20 chars & numbers and resrtricting logins to 2 per min.
any hacker attempting to get through that would have to try for years :)
...and changing the port

repo 08-11-2009 10:00 AM

Quote:

any hacker attempting to get through that would have to try for years
Or be extremely lucky :-)

pwc101 08-11-2009 10:15 AM

Please use [quote][/quote] tags around the parts of text you are quoting, otherwise it's hard to tell what's your response and what's the original text you're responding to.
Quote:

Originally Posted by qwertyjjj (Post 3639275)
If I create a new user, what permissions do you give them?

No special permissions needed. Just an ordinary, bog standard user with a real log in shell (not /bin/false, for example).
Quote:

Originally Posted by qwertyjjj (Post 3639275)
To then login as root is it just su root?

Even better,
Code:

su -
so that you inherit root's environment settings too (see man su).
Quote:

Originally Posted by qwertyjjj (Post 3639275)
So effectively you have a user login and password and then a 2nd root and password?

Yes.
Quote:

Originally Posted by qwertyjjj (Post 3639275)
Can't do this as the IP address on my computer is dynamic or am I missing something here?

It's not the machine's IP address that's used to identify the machine, it's the key-pair that are used.
Quote:

Originally Posted by qwertyjjj (Post 3639275)
Is a key used instead of the password? Effectively the same process then isn't it?

Yes, a key's used. The difference is, the key's tied to the machine, whereas the password can roam independent of the machine, which allows anyone to have a go at guessing the right combination of username and password. At least, that's my understanding of it.


All times are GMT -5. The time now is 05:11 AM.