![](https://seccdn.libravatar.org/avatar/b71aea1b9b5b58088b4fa44e51a74667.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, 2018-01-05 at 18:50 +0100, gumb wrote:
ssh newbie question:
I only know the very basics of ssh (and next to nothing useful of Linux security). When I access a remote openSUSE machine using a private key previously exchanged, as opposed to a basic password (note: the remote PC has a very 'standard' configuration and its firewall is activated), I usually check the system log in YaST and apply a filter 'ssh' starting from my previous date of access.
On this occasion I see something alien in the log. It appears to be just a failed attempt at unauthorized access. There are two entries from two separate dates. Example:
kernel │SFW2-INext-ACC-TCP IN=eth0 OUT= MAC={big-long-mac-address} SRC=5.8.18.70 DST=192.168.1.64 LEN=52 TOS=0x02 sshd[4243] |Bad protocol version identification '\003' from 5.8.18.70 port 526
I did a search for this IP address and see this page: https://www.abuseipdb.com/check/5.8.18.70 which has several recent abuse reports.
Without getting into complex nerdy affairs, what should my next simple step be? I assume I should only be concerned if I see a line suggesting a new ssh session was opened by somebody other than me? Or is there anything else I should keep a lookout for in future?
gumb
If this system is accessible on the internet, and needs to stay that way, you might want to do a couple of things -- First, don't have it listen on port 22. Whether through your firewall or the server itself, make SSH respond on some random high port, like 6022, or 60022, or something like that. (If through SSH directly, the line in sshd_config is "Port 22" (no quotes; remove the # at the front if there is one.) Second, seriously consider doing something like fail2ban, so that multiple invalid attempts will result in their IP address being outright blocked. This will help prevent brute-forcing a connection. Third, make absolutely sure that you have root logins and password- based logins disabled (aka, ONLY key logins.) These are the lines in sshd_config that you'd set: PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no UsePAM no ChallengeResponseAuthentication no After making any changes to the config file, do "service sshd restart" (no quotes) If you do the port number change, do it first and test it. Then leave that session open if you do any other changes. CRITICAL: IF YOU CHANGE THE AUTHENTICATION MECHANISMS, BEFORE CLOSING YOUR SSH SESSION, MAKE SURE THAT YOU CAN OPEN A SECOND SESSION AND CONNECT SUCCESSFULLY! That way if you messed up the config, you won't have locked yourself out of your box, and can fix things. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlpP4aYACgkQQ1nEo4DF CIVLWgf/bscoPSkbHJWCjqPqt/vus1vOpcfMQhVTOgNQSWrcVGdpg+BHEMTm6UUS eMwSk++FzIeofa+CH8SSl2VHpHV53x8MICLt2yv+lRNzyKyFFt8Z2WIRASBQwdyL uHceu6xrYyXf2ENvDf4gU4PQLjVgkxhxhNkNrbUeZC7ac18nqgsifiAakQNs2FyW 4qrO6yJeOGUUxOvue/7Rxdm4kvrc4yTRol43bR4XlRYVuSaZJMSkHkSjkmON0+g1 TIjGyMIekVQmF2svRj1+wPgWw565C18nBsqH7i6tdrqsvBxYlpokImGmitCOemvx oj7fh9qy57OLbWStSB+ESJvLNP53XQ== =1GQL -----END PGP SIGNATURE-----