LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-12-2014, 04:42 AM   #1
pr0xibus
Member
 
Registered: Apr 2004
Location: Scotland
Distribution: Slackware
Posts: 218

Rep: Reputation: 44
SSH Security


Morning guys

I keep getting invalid user attempts

Code:
*******:/home/********# grep "invalid user" /var/log/messages
Mar 12 05:58:37 *********** sshd[1502]: input_userauth_request: invalid user jochen [preauth]
Mar 12 05:58:37 ********** sshd[1502]: Failed password for invalid user jochen from 86.101.234.57 port 54805 ssh2
Mar 12 07:52:50 ***** sshd[1669]: input_userauth_request: invalid user creative [preauth]
Mar 12 07:52:50 ***** sshd[1669]: Failed password for invalid user creative from 86.101.234.57 port 42262 ssh2
I have only listed todays ones so far , I have disabled root logins via SSH and changed the port, but still they appear all day every day. Is their anything else I can do too slow this or stop this completely?

This is on a clean install of 14.1
 
Old 03-12-2014, 04:51 AM   #2
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,278

Rep: Reputation: 148Reputation: 148
Drop all the IP's somewhere in your firewall and allow only trusted IP's.
 
Old 03-12-2014, 05:00 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,550

Rep: Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597
If you can't do what kirukan suggests then make use of fail2ban to block repeat "offenders".
 
Old 03-12-2014, 05:35 AM   #4
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Just like operating systems targeted for to day-to-day end-users (think Windows) have specific software (malware) to take control over them, *nix systems as a whole (still majorly used as a server) are specifically targeted to gain control..

The most common is trying to brake SSH and e-mail realaying by means of automated scripts/programs (bots)... Think about it, no matter what the distribution, almost all servers will make use of SSH so that users can login to it (and there isn't any better or equal way).. Changing the ports helps a bit, but some bots will even try to scan your ports..

Thus, you have to ensure that you applied redundant security measures.. Disallowing root is a great first step because that's the only one user which is almost (yes, there are distributions without the name 'root') sure to exist. The second would be to create a separate group and allow only members of that group to do SSH.. And the third, to use software like 'fail2ban' (link in TenTenths post)... If it helps, in my experience, with this type of measures none of the servers I've managed have been braken into (well, at least not via SSH).. But, to be fair, none we're hosting very important things..

Good luck
 
Old 03-12-2014, 05:39 AM   #5
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,550

Rep: Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597Reputation: 1597
Quote:
Originally Posted by Smokey_justme View Post
Disallowing root is a great first step because that's the only one user which is almost (yes, there are distributions without the name 'root') sure to exist. The second would be to create a separate group and allow only members of that group to do SSH..
The first two items on our company server build document.
 
Old 03-12-2014, 08:59 AM   #6
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
In addition to fail2ban suggested above, there is also DenyHosts (http://denyhosts.sourceforge.net/); I've used it for years and it effectively bans intruders with either an IPTABLES or /etc/hosts.denyu entry (after some number of failed log in attempts, the address is added to one or the other and connections will be refused). DenyHosts runs as a daemon and you don't have to do any maintenance or twiddling with it once installed.

A nice feature of DenyHosts is that you can share miscreant addresses with other DenyHosts users around the world (they're added to your IPTABLES or /etc/hosts.deny files) periodically.

I run DenyHosts so that it writes to /etc/hosts.deny. New attempts to log in as root, wheel, etc. are appended to /etc/hosts.deny and the site will be denied access on any subsequent attempts to connect (as will all addresses in that file).

Probably worth at least a look-see.

Hope this helps some.

Last edited by tronayne; 03-12-2014 at 09:00 AM.
 
1 members found this post helpful.
Old 03-12-2014, 01:14 PM   #7
tux_dude
Member
 
Registered: Dec 2008
Distribution: Slackware64 Current
Posts: 278

Rep: Reputation: 41
Had this issue many, many moons ago. I ran fail2ban initially when I only has ssh open. As I opened up my network (apache, sendmail, etc) I didn't feel safe relying only on fail2ban. I since beefed up my firewall and let it do all the work.
1. Only whitelisted address can get to ssh. I only connect from a few known addresses.
2. I have VPN server to allow access to my network. If you are not serving anything out to the public, VPN is the way to go for remote access.

Last edited by tux_dude; 03-12-2014 at 03:40 PM.
 
Old 03-12-2014, 02:56 PM   #8
BCarey
Senior Member
 
Registered: Oct 2005
Location: New Mexico
Distribution: Slackware
Posts: 1,639

Rep: Reputation: Disabled
You can also turn off the password based login altogether and require usage of keys to use ssh. Oh, and here's another vote for denyhosts

Brian
 
Old 03-12-2014, 03:34 PM   #9
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
I enjoyed this solution but I might be a little biased.

--mancha
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need advise on Security , SSH , security policies inara72 Linux - Security 4 02-01-2010 07:49 AM
SSH security. rich_c Linux - Security 16 07-26-2009 01:45 AM
SSH Security pembo13 Linux - Security 20 09-13-2004 10:03 PM
security on ssh spank Linux - Security 1 02-26-2004 03:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration