This month's Albuquerque Linux User Group hangout will be held virtually on the first Tuesday of this month. April 5 2022, at 6:00 pm. Here is the link you can use to join the virtual meetup: https://live.abqlug.com/AprilMeetup If you would like more information on how to attend the meetup, visit: https://www.abqlug.com/how-to-attend/ If you're having issues using a microphone or camera, you might have to make sure that WebRTC is enabled in your browser. Especially if you have "locked down" your browser. If WebRTC is working, you should be able to complete a Microphone and Camera Test with the link above. You can test your setup here: https://test.webrtc.org/ The meetup will likely end around 8:00 PM or before. Hope to see you there! ~ Jared
I've been getting constant ssh attacks, like several per minute. Any suggestions? I could change the port from 22, but I don't know if that will do much. There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much. I have password access disabled. (You need to have a key to ssh in). Anything else I should do? aaron
Look into fail2ban -- it is on most linux distros I'm used to seeing. It may do something that helps your situation. Changing to another port does help cosmetically. (It also allows you to run something on a port that captive portals allow through -- say, 53...) I've been considering the idea of blocking large swaths of IPv4/6 from places I'm unlikely to care about traffic. On Mon, Aug 08, 2022 at 10:01:12AM -0600, Aaron Birenboim wrote:
I've been getting constant ssh attacks, like several per minute.
Any suggestions? I could change the port from 22, but I don't know if that will do much.
There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much.
I have password access disabled. (You need to have a key to ssh in). Anything else I should do?
aaron
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
John Osmon writes:
Look into fail2ban -- it is on most linux distros I'm used to seeing. It may do something that helps your situation.
Changing to another port does help cosmetically. (It also allows you to run something on a port that captive portals allow through -- say, 53...)
Both of those have helped on our server, though we still get plenty of attacks. But if you run something like fail2ban, make sure you have some sort of out-of-band option to get to the server in emergencies: it's a real drag when due to some weird circumstance you end up locked out of ssh to your own server. ...Akkana
I'd recommend Fail2Ban as well. Beyond that, you pretty much just have to accept a certain amount of attacks hitting your system regularly. Various servers I administer get pounded constantly, typically several thousand times a day. Solid firewall rules, strong passwords, and ensuring your software is up to date on patches, is really the best you can manage. This is unfortunately just how things normally roll on the Internet these days. You cannot stop attackers from attacking you, but you don't have to make it easy for them. Fail2Ban helps, block lists help, but at the end of the day, it's gonna happen to one degree or another, no matter what you do. Will On 8/8/2022 10:25 AM, John Osmon wrote:
Look into fail2ban -- it is on most linux distros I'm used to seeing. It may do something that helps your situation.
Changing to another port does help cosmetically. (It also allows you to run something on a port that captive portals allow through -- say, 53...)
I've been considering the idea of blocking large swaths of IPv4/6 from places I'm unlikely to care about traffic.
On Mon, Aug 08, 2022 at 10:01:12AM -0600, Aaron Birenboim wrote:
I've been getting constant ssh attacks, like several per minute.
Any suggestions? I could change the port from 22, but I don't know if that will do much.
There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much.
I have password access disabled. (You need to have a key to ssh in). Anything else I should do?
aaron
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
Probably remove the password accept from the sshd all together. Set password authentication to “no” instead of commenting it out. One gotcha is I needed to make a config for ssh to use public key and the preferred authentication. On Mon, Aug 8, 2022 at 10:01 AM Aaron Birenboim <aaron@boim.com> wrote:
I've been getting constant ssh attacks, like several per minute.
Any suggestions? I could change the port from 22, but I don't know if that will do much.
There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much.
I have password access disabled. (You need to have a key to ssh in). Anything else I should do?
aaron
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
Hi Aaron, I think the answer to your questions have been hammered away pretty well. But I wanted to give my 2¢. Are the machines on-prem, in a datacenter, or on a cloud provider (such as Linode, DigitalOcean, Azure, or AWS)? Also, what distro and version are you using? Having those answers can help give more detailed advice. Above all, the biggest take away should be to use a belt-and-suspenders approach. If any one approach has a flaw, you have other layers of protection to fall back on. This is what I do on a Linode hosted Ubuntu VPS. 1) I set these in /etc/ssh/sshd_config PermitRootLogin no StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no AuthenticationMethods publickey 2) Before proceeding, establish a new ssh session, to make sure ssh still works. 3) I setup some Linode firewall rules to only allow my IP address to connect over port 22. https://www.youtube.com/watch?v=H7wM5mDI1-k 4) Check ssh again. Then I use UFW to setup a firewall on the OS side, replace 1.2.3.4 with your IP address. Repeat firewall rules if you have multiple hosts to ssh from. sudo ufw default deny incoming sudo ufw allow proto tcp from 1.2.3.4 to any port 22 sudo ufw enable 5) Setup fail2ban (especially if you decide to not use any firewalls) https://www.linode.com/docs/guides/how-to-use-fail2ban-for-ssh-brute-force-p... As Akkana mentioned, you really should also setup out-of-band "backdoor" is critical. Especially if the server isn't on-prem and easy to gain console level access. If the server hosted with a cloud provider, for example Linode, you can use their Lish Console through a web browser to gain console level access. What I do with some servers at BigByte is setup an OpenVPN server that has a hole poked through the firewalls. You could also use something like TailScale if you haven't setup OpenVPN before. And of course don't forget to use a strong and unique passphrase on all of your ssh keys. If you get tired of typing in ssh passphrases, you can setup a SSH agent (for example ssh-agent, Gnome Keyring, or KDE Wallet) to cache the passphrases up until you reboot. I'm planning on doing a deep dive on using Google Authenticator to setup 2FA on SSH. But I haven't gotten around to it...yet. https://www.linode.com/docs/guides/how-to-use-one-time-passwords-for-two-fac... Hope this helps! ~ Jared On 8/8/22 10:01, Aaron Birenboim wrote:
I've been getting constant ssh attacks, like several per minute.
Any suggestions? I could change the port from 22, but I don't know if that will do much.
There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much.
I have password access disabled. (You need to have a key to ssh in). Anything else I should do?
aaron
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
thanx. On 8/8/22 13:35, ABQLUG Events wrote:
Hi Aaron,
I think the answer to your questions have been hammered away pretty well. But I wanted to give my 2¢.
Are the machines on-prem, in a datacenter, or on a cloud provider (such as Linode, DigitalOcean, Azure, or AWS)? Also, what distro and version are you using? Having those answers can help give more detailed advice.
Dynamic DNS to server in my house. Comcast. Debian Bullseye (11.3 ... does it upgrade to 11.4 if I apt upgrade?), behind an OpenWRT firewall/router/WAP/NAT. OpenWRT forwards ports 22 and 80 to server. Machine is also gateway between my DMZ and internal net. Most of my streaming devices and guest logins stay in the DMZ.
Above all, the biggest take away should be to use a belt-and-suspenders approach. If any one approach has a flaw, you have other layers of protection to fall back on.
This is what I do on a Linode hosted Ubuntu VPS.
1) I set these in /etc/ssh/sshd_config
PermitRootLogin no StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no AuthenticationMethods publickey
done.
2) Before proceeding, establish a new ssh session, to make sure ssh still works.
3) I setup some Linode firewall rules to only allow my IP address to connect over port 22.
https://www.youtube.com/watch?v=H7wM5mDI1-k
4) Check ssh again. Then I use UFW to setup a firewall on the OS side, replace 1.2.3.4 with your IP address. Repeat firewall rules if you have multiple hosts to ssh from.
sudo ufw default deny incoming sudo ufw allow proto tcp from 1.2.3.4 to any port 22 sudo ufw enable
done. except I have port 80 open also. Still deciding if I should do https on 443, or have it forward to 22. I used to have to do this to get out of UNM WiFi to my house. (UNM allowed 443 out, but not 22)
5) Setup fail2ban (especially if you decide to not use any firewalls)
https://www.linode.com/docs/guides/how-to-use-fail2ban-for-ssh-brute-force-p...
will check.
As Akkana mentioned, you really should also setup out-of-band "backdoor" is critical. Especially if the server isn't on-prem and easy to gain console level access. If the server hosted with a cloud provider, for example Linode, you can use their Lish Console through a web browser to gain console level access.
What I do with some servers at BigByte is setup an OpenVPN server that has a hole poked through the firewalls. You could also use something like TailScale if you haven't setup OpenVPN before.
And of course don't forget to use a strong and unique passphrase on all of your ssh keys. If you get tired of typing in ssh passphrases, you can setup a SSH agent (for example ssh-agent, Gnome Keyring, or KDE Wallet) to cache the passphrases up until you reboot.
I'm planning on doing a deep dive on using Google Authenticator to setup 2FA on SSH. But I haven't gotten around to it...yet.
https://www.linode.com/docs/guides/how-to-use-one-time-passwords-for-two-fac...
Hope this helps!
~ Jared
On 8/8/22 10:01, Aaron Birenboim wrote:
I've been getting constant ssh attacks, like several per minute.
Any suggestions? I could change the port from 22, but I don't know if that will do much.
There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much.
I have password access disabled. (You need to have a key to ssh in). Anything else I should do?
aaron
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
Hi Aaron, Since you are using this server at home, I would recommend sticking your home devices behind a separate (and properly configured) firewall. If your server gets pwned, you don't want that to spread to the rest of your devices... Having the server pass traffic to your home devices NOT a good idea, at all... As for bypassing UNM's firewall rules. Keeping SSH on 443 w(e)rks, but I recommend putting OpenVPN on 443 (TCP) or on 53 (UDP) since you can use HMAC to drop packets from anyone that doesn't present the expected certificate. Keep in mind that port 53 is typically (not always) rate limited on most enterprise firewalls. https://openvpn.net/community-resources/hardening-openvpn-security/ But these days, I recommend just using TailScale to access your devices at home if you are remote. Especially since you can bypass the most strictest of NAT rules quite easily. This eliminates the use of port forwarding (if you don't want to publicly expose your server). https://tailscale.com/blog/how-tailscale-works/ To upgrade to a newer point release, you would need to run "sudo apt dist-upgrade" (I believe full-upgrade will do it too, but I haven't tested it though...) Sorry it took so long to reply, I suck at life... ~ Jared On 8/8/22 14:31, Aaron Birenboim wrote:
thanx.
On 8/8/22 13:35, ABQLUG Events wrote:
Hi Aaron,
I think the answer to your questions have been hammered away pretty well. But I wanted to give my 2¢.
Are the machines on-prem, in a datacenter, or on a cloud provider (such as Linode, DigitalOcean, Azure, or AWS)? Also, what distro and version are you using? Having those answers can help give more detailed advice.
Dynamic DNS to server in my house. Comcast. Debian Bullseye (11.3 ... does it upgrade to 11.4 if I apt upgrade?), behind an OpenWRT firewall/router/WAP/NAT. OpenWRT forwards ports 22 and 80 to server.
Machine is also gateway between my DMZ and internal net. Most of my streaming devices and guest logins stay in the DMZ.
Above all, the biggest take away should be to use a belt-and-suspenders approach. If any one approach has a flaw, you have other layers of protection to fall back on.
This is what I do on a Linode hosted Ubuntu VPS.
1) I set these in /etc/ssh/sshd_config
PermitRootLogin no StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no AuthenticationMethods publickey
done.
2) Before proceeding, establish a new ssh session, to make sure ssh still works.
3) I setup some Linode firewall rules to only allow my IP address to connect over port 22.
https://www.youtube.com/watch?v=H7wM5mDI1-k
4) Check ssh again. Then I use UFW to setup a firewall on the OS side, replace 1.2.3.4 with your IP address. Repeat firewall rules if you have multiple hosts to ssh from.
sudo ufw default deny incoming sudo ufw allow proto tcp from 1.2.3.4 to any port 22 sudo ufw enable
done. except I have port 80 open also.
Still deciding if I should do https on 443, or have it forward to 22. I used to have to do this to get out of UNM WiFi to my house. (UNM allowed 443 out, but not 22)
5) Setup fail2ban (especially if you decide to not use any firewalls)
https://www.linode.com/docs/guides/how-to-use-fail2ban-for-ssh-brute-force-p...
will check.
As Akkana mentioned, you really should also setup out-of-band "backdoor" is critical. Especially if the server isn't on-prem and easy to gain console level access. If the server hosted with a cloud provider, for example Linode, you can use their Lish Console through a web browser to gain console level access.
What I do with some servers at BigByte is setup an OpenVPN server that has a hole poked through the firewalls. You could also use something like TailScale if you haven't setup OpenVPN before.
And of course don't forget to use a strong and unique passphrase on all of your ssh keys. If you get tired of typing in ssh passphrases, you can setup a SSH agent (for example ssh-agent, Gnome Keyring, or KDE Wallet) to cache the passphrases up until you reboot.
I'm planning on doing a deep dive on using Google Authenticator to setup 2FA on SSH. But I haven't gotten around to it...yet.
https://www.linode.com/docs/guides/how-to-use-one-time-passwords-for-two-fac...
Hope this helps!
~ Jared
On 8/8/22 10:01, Aaron Birenboim wrote:
I've been getting constant ssh attacks, like several per minute.
Any suggestions? I could change the port from 22, but I don't know if that will do much.
There used to be some sort of sshd wrapper which could ban an IP after failed attempts. I think it was deprecated. The attack IP changes, but there often a few dozen attacks from the same IP. Again, some help... but not much.
I have password access disabled. (You need to have a key to ssh in). Anything else I should do?
aaron
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
participants (6)
-
Aaron Birenboim -
ABQLUG Events -
Akkana Peck -
John Osmon -
Wesley Robbins -
Will Pearson