[SOLVED] Changed SSH port but still see login attempts in auth.log on Ubuntu 14.04.6
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Changed SSH port but still see login attempts in auth.log on Ubuntu 14.04.6
Hi,
I changed my ssh port (/etc/ssh/sshd_config) to an obscure number and confirmed it's working.
I am still seeing login attempts (and fails) in my /var/log/auth.log.
1. Is that normal or should those attempts no longer generate log traffic for auth.log?
2. Second question. I see in the log entries a mention of various ports ( ....from 49.234.100.133 port 59898 ssh2.....). Does this mean users are trying to log into the system on port 59898). If so, I guess I answered my first question.
Thanks
Nacht
----
Dec 16 20:03:51 jrpno sshd[20534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=181.30.28.73
Dec 16 20:03:53 jrpno sshd[20534]: Failed password for invalid user securityagent from 181.30.28.73 port 43308 ssh2
Dec 16 20:03:53 jrpno sshd[20534]: Received disconnect from 181.30.28.73: 11: Bye Bye [preauth]
Dec 16 20:03:56 jrpno sshd[20536]: Invalid user mine from 49.234.100.133
Dec 16 20:03:56 jrpno sshd[20536]: input_userauth_request: invalid user mine [preauth]
Dec 16 20:03:56 jrpno sshd[20536]: pam_unix(sshd:auth): check pass; user unknown
Dec 16 20:03:56 jrpno sshd[20536]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.234.100.133
Dec 16 20:03:57 jrpno sshd[20536]: Failed password for invalid user mine from 49.234.100.133 port 59898 ssh2
Dec 16 20:03:58 jrpno sshd[20536]: Received disconnect from 49.234.100.133: 11: Bye Bye [preauth]
-------
I changed my ssh port (/etc/ssh/sshd_config) to an obscure number and confirmed it's working.
I am still seeing login attempts (and fails) in my /var/log/auth.log.
1. Is that normal or should those attempts no longer generate log traffic for auth.log?
If nothing listens on port 22, it's indeed odd. But check if your sshd really uses an obscure port. Have you restarted it after changing the configuration?
Run
Code:
sudo ss -lntp | grep ssh
to check the port sshd is using.
Quote:
2. Second question. I see in the log entries a mention of various ports ( ....from 49.234.100.133 port 59898 ssh2.....). Does this mean users are trying to log into the system on port 59898).
...
Dec 16 20:03:57 jrpno sshd[20536]: Failed password for invalid user mine from 49.234.100.133 port 59898 ssh2
User mine tries to log in FROM port 59898. I.e. it's the port the SSH client is using.
Both are normal. The bots can find your new port number in minutes and at that point instantly know that it is SSH and get back to work. If you set up either SSH keys or SSH certificates and turn off password authentication, then many of the bots can sense that and will leave your system alone regardless of the port number.
As for the high port numbers in the logs, those are the ports the remote attackers are contacting your system from, not the port on your system they are connecting to.
Even with nothing pointing to an IP, you will still get login attempts every day from many different IPs. Changing ports weeds out some but not all. Iptables rules to drop connections after 3 failures will get you exactly 3 login attempts from a bunch of different IPs. They know pretty much every trick you can think of. I removed my external ssh port entirely this year, since I work from home anyway.
ufw insert 1 allow in proto tcp from 192.168.0.0/16 to any port 22,2222 comment "SSH Local Network Access"
Also, do a grep on /etc/ssh/sshd_config to make sure you changed the port to the following:
egrep -i PORT /etc/ssh/sshd_config
This is an old post, so I am not sure why the team did not tell you to limit access to the port using the UFW or the IPtables firewall lists. But oh well, I am sure you got everything done.
This is an old post, so I am not sure why the team did not tell you to limit access to the port using the UFW or the IPtables firewall lists.
1) the post is not old
2) UFW is quite complicated
3) iptables is deprecated in favor of nftables
4) most password guessers are distributed and do not come from single addresses any more
5) switching to SSH keys or SSH certificates and dropping password authentication will block the most bots
1) the post is not old - ok
2) UFW is quite complicated - UFW is not complicated
→ dnf install ufw -y
→ systemctl enable ufw
→ systemctl start ufw
→ ufw enable, select y
→ ufw insert 1 allow in proto tcp from <local subnet> to any port 22,2222 comment "SSH Monitoring"
Not sure how complicated that is compared to others
3) iptables is deprecated in favor of nftables - ok
4) most password guessers are distributed and do not come from single addresses any more
→ If you block remote access (Internet) and limit access from certain ip addresses, this can be done or utilize the VPN
5)switching to SSH keys or SSH certificates and dropping password authentication will block the most bots
→ Yes, I agree using SSH Certs but it won't stop the entry from appearing in the logs, because once the key is not entered and there is a failure, a log entry appears.
I do think with both mechanisms will help but one way should not be the only way and they need another outside firewall to limit this traffic.
1. They should have an outside firewall blocking access to this server only limiting certain IPs to access it
2. I am not sure why they would not use SSH Certs since that is the defacto standard in most business environments, if not, then they have bigger issues
3. And this is what I found from nft:
% nft add table ip filter
% nft 'add chain ip filter input { type filter hook input priority 0 ; }'
% nft 'add chain ip filter output { type filter hook output priority 0 ; }'
You have to configure this first before you start adding rules, from the last time I looked, I did not have to do that with ufw or iptables.
... because once the key is not entered and there is a failure, a log entry appears.
They tend to mostly leave the SSH server alone once you have turned off password authentication. Though misconfigured bots may come in bursts anyway. But that is a far cry from the steady stream of probes which occurs otherwise.
Yeah, but that can be handled by the outside firewall to limit specific traffic to that server, that may be the underlying issue, there needs to be two levels of security before it reaches the machine.
If it is a webserver, again, there needs to be limitations on who can access what, internal firewalls and in certain cases HIDS, NIDS and other solutions to thwart those attacks or even direct that traffic to a honey point after it has been identified to be as nefarious. Logwatch can help with identifying the traffic (other costly tools other there that do a better job) and then after a certain number of attempts, the system should block them anyway.
Evaluate the security posture to alleviate these problems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.