Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Newly installed Centos v7.
I made the change to sshd_config (PermitRootLogin no), and restarted sshd. Still can login to root. I even restarted the system.
What scares me is - while logged on as root, watching message log, I can see new root sessions being added.
When logon, I also see something like 10,000 failed attempts to logon.
Questions:
- how to prevent root logon?
- how to change root password?
- how do I know what's malicious (or not authorized) in my message log? and can I
create a script to monitor this for warnings and/or block?
Unless you change the ssh port, ssh login attempts as root will continue.
3 things you may try:
edit /etc/hosts.allow and add
Code:
sshd: 127.0.0.1 <your_ip> <another_safe_ip>
to the bottom of the file (edit as root)
edit /etc/hosts.deny and add
Code:
sshd: ALL
However,,, this does not work if openssh-server is greater than 6.6 and you can see this using
Code:
sudo rpm -qa | grep openssh-server
if it is NOT greater that 6.6 use the above.
Second thing to try is fail2ban and installing it out of the box inhibits repeat offenders from trying root login to your server and takes care of this
Quote:
Originally Posted by butchrappe
how do I know what's malicious (or not authorized) in my message log? and can I
create a script to monitor this for warnings and/or block?
for you in /var/log/fail2ban.log
if installed.
3rd thing you can do is change the ssh port, but this presents other issues that would require additional/further enhancements to the way you may usually access the server. I DO NOT RECOMMEND YOU USE THIS method at this time.
I hope this is helpful.
to change the root password...
login as root and issue
Code:
passwd
and enter the new password twice, (it will not be echoed).
sorry, one more quick question:
What happens if I do an update, and suddenly my openssh-server is a higher version?
Great Question!
There's a method using yum to "exclude" packages from updates but I won't "go there".
There's another techique using the same mechanism as /etc/hosts.{allow, deny} using the xinetd package, but I haven't looked into it.
Should be a similar process with similar edits.
Habitual,
I've been on the road way too much lately. I guess we never know what "tomorrow" will bring.
I installed fail2ban shortly after we last communicated. I didn't try to run it until I could learn more about it - like a user guide or something. I've found enough info to make me think I'm ready to get it going. However:
Info tells me to edit/configure a file called: /etc/fail2ban.conf
I can see the file name, but a "more < " says it's not there. A "vi" tries to start a new file.
I can't start it, because it doesn't exist.
[root@www ~]# yum info fail2ban
Loaded plugins: fastestmirror, langpacks, product-id, subscription-manager
This system is not registered with Subscription Management. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
* base: mirror.unl.edu
* epel: kdeforge2.unl.edu
* extras: mirror.umd.edu
* updates: mirrors.adams.net
Installed Packages
Name : fail2ban
Arch : noarch
Version : 0.9
Release : 9.el7
Size : 0.0
Repo : installed
From repo : epel
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
License : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes too many
: password failures. It updates firewall rules to reject the IP
: address. These rules can be defined by the user. Fail2Ban can read
: multiple log files such as sshd or Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect authentications
: attempts however it cannot eliminate the risk that weak
: authentication presents. Configure services to use only two factor
: or public/private authentication mechanisms if you really want to
: protect services.
:
: This is a meta-package that will install the default
: configuration. Other sub-packages are available to install
: support for other actions and configurations.
I discovered the fail2ban conf in the same location you provided. That's different from the text I discovered online.
The contents of that file also do not agree with the "tutorial" I was following.
Think I should "yum fail2ban-all" ?
I did the "yum install fail2ban-all"
There are a couple filenames I see under /etc - but they don't exist. Very strange.
When I look at the fail2ban.conf file, it doesn't have the content that the online text discusses.
I was trying to follow: www.the-aret-of-web.com/system/fail2ban
I'd like to understand this a little better and make sure it's not allowing any "defaults" that can
be exploited.
I started fail2ban, and will put it in the startup script.
Also restarted httpd. So, for now it's running. Is there a log I can follow? Or is it all under messages?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.