I've setup a ssh server at home to do ssh tunneling so I can use my tablet on public wifi.

How I can check the logs file(s) for attempts of others trying to connect to my ssh server. btw, I am using a 5 digit number as the ssh port.

I never hardly look at any logs files because they are so cryptic to understand. I need help on what to look for whether the attempt to connect was successful or not.

Thanks

I have a script that runs every minute looking at the last 150 lines in auth.log.
If it finds 20 of two different messages in a sample it blocks the IP.

It used to block a few a week, but after moving off of port 22 it hasn't blocked an IP in over two and a half years, this is on three machines.

So you have already done the first best thing.

You can look for these two manually with;
To reject attacker
To remove
The routing reject will remain until reboot.

1 members found this post helpful.

thanks rustek for the helpful tip

I ran the grep commands above and no output was given. I guess my new ssh server is OK for now.

I read as much as possible about ssh tunneling before implementing it. For example, I used a different port other than the standard 22. I've used AllowUsers and added my name only.

There is something I read about using private key authentication as to password authentication. They say it is more secure. But, I don't know if I could trust something I never done before.

Anyway, I added a +1 reputation for you

Thanks

The private key thing works good, I had a little trouble the first time, but I use it to move stuff automatically between servers now.

Have a read through this tutorial. While a bit dated, I found it to be a good explanation of how to set up key-based authentication.

Thanks Hangdog42 for the link

I already know this, what I meant in my last post was I didn't want to take a change on trying something I haven't tried before. I always done password authentications.

If you don't set a password on the key, then if you loose or someone gets hold of your tablet they will be able to access the server until you remove or change the server key.

It is more secure using the key and you should password protect it if you feel the need.

You have to decide that when you create the key.

If someone steals my notebook, I have to make a phone call before they figure out they have root access to several machines.

If I create this key pair, what do I do with the keys. Do both keys need to be in the .ssh directory or just one of them or could I move both off to a usb stick?

One key in each machine, it looks like the link provided by Hangdog42 shows all that.

You probably could put a symlink in .ssh and put the key on the usb stick, neat idea.

i dont quite follow the original question, which was how to monitor for others trying to access the ssh server. then it turned into a how-to-authenticate question.

what exactly are you tunneling? a client-server app and the server is at your house?

run iptables and configure the rules and logging accordingly.

what rev/distro of linux and what sshd is it?

@ Linux_Kidd

My question was solved. I have no issues with ssh tunneling whatsoever. My question about ssh private key authentication was a after though, just asking people if it was safer than password authentication.

Sometimes threads go off topic. Anyway, I mark it as solved. Thanks to all who replied.

Why wouldn't denyhosts work here?

Denyhosts monitors ssh login failures and adds the offending IP to hosts.deny.

I believe you can configure it for other port numbers, the number of long in attempts, and services. It also automatically removes offending IPs from hosts.deny after a month.

I use ssh on the standard port number with denyhosts.

he uses public wifi (dhcp) so how could he know what to deny?

I thought he said he had a ssh server was at home. That is where the denyhosts runs.

I guess I don't understand what the set up is here.

yes, sshd runs at his house, but his tablet is a dhcp client that connects to various wifi ap's. his tablet runs the ssh client and he uses it to tunnel to/through his sshd at home. so if his IP changes often then hosts.deny is not robust enough. certainly he can use hosts.deny to limit a majority of inet IP but thats not a secure solution.