-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, 2018-01-05 at 14:35 -0600, Christopher Myers wrote:
On Fri, 2018-01-05 at 18:50 +0100, gumb wrote:
ssh newbie question:
I only know the very basics of ssh (and next to nothing useful of Linux security). When I access a remote openSUSE machine using a private key previously exchanged, as opposed to a basic password (note: the remote PC has a very 'standard' configuration and its firewall is activated), I usually check the system log in YaST and apply a filter 'ssh' starting from my previous date of access.
On this occasion I see something alien in the log. It appears to be just a failed attempt at unauthorized access. There are two entries from two separate dates. Example:
kernel │SFW2-INext-ACC-TCP IN=eth0 OUT= MAC={big-long-mac- address} SRC=5.8.18.70 DST=192.168.1.64 LEN=52 TOS=0x02 sshd[4243] |Bad protocol version identification '\003' from 5.8.18.70 port 526
I did a search for this IP address and see this page: https://www.abuseipdb.com/check/5.8.18.70 which has several recent abuse reports.
Without getting into complex nerdy affairs, what should my next simple step be? I assume I should only be concerned if I see a line suggesting a new ssh session was opened by somebody other than me? Or is there anything else I should keep a lookout for in future?
gumb
If this system is accessible on the internet, and needs to stay that way, you might want to do a couple of things --
First, don't have it listen on port 22. Whether through your firewall or the server itself, make SSH respond on some random high port, like 6022, or 60022, or something like that. (If through SSH directly, the line in sshd_config is "Port 22" (no quotes; remove the # at the front if there is one.)
Second, seriously consider doing something like fail2ban, so that multiple invalid attempts will result in their IP address being outright blocked. This will help prevent brute-forcing a connection.
Third, make absolutely sure that you have root logins and password- based logins disabled (aka, ONLY key logins.) These are the lines in sshd_config that you'd set: PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no UsePAM no ChallengeResponseAuthentication no
After making any changes to the config file, do "service sshd restart" (no quotes)
If you do the port number change, do it first and test it. Then leave that session open if you do any other changes.
CRITICAL: IF YOU CHANGE THE AUTHENTICATION MECHANISMS, BEFORE CLOSING YOUR SSH SESSION, MAKE SURE THAT YOU CAN OPEN A SECOND SESSION AND CONNECT SUCCESSFULLY! That way if you messed up the config, you won't have locked yourself out of your box, and can fix things.
OH -- And, if you want some extra peace of mind, add something like the following to the file /etc/ssh/sshrc (create the file if it doesn't exist) :: ip=`echo $SSH_CONNECTION | cut -d " " -f 1` logger -t ssh-wrapper $USER login from $ip echo "User $USER just logged in from $ip" | mail -s 'SSH server logged into!' username@domain.com & Every time anyone logs into that server via SSH, you'll get an email to that username@domain.com about it (assuming you have email set up successfully.) - From "man ssh", under the "FILES" section -- /etc/ssh/sshrc Commands in this file are executed by ssh when the user logs in, just before the user's shell (or command) is started. See the sshd(8) manual page for more information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlpP5NwACgkQQ1nEo4DF CIVrhgf/Seo63UMakrnzitZhCLhi7i5xycnto5TuI1ppfXx9lyDBs1y3sXZlYB+8 hCXIPHDM2g3YxgK0MA60uuIcinZRbQAjTvBMRV2PULocrX0UckSoGEeAjToQ/vNR lkZWvx+RLSP4jFNgMc7gwHxjXemVDL4IfCzYkfigE9AYo9fybHyuZCOaeprAgkyR 0dFtEczBSGC0875TeleF8klk1DkNHGCkXY/UR0MLOQiulnctaPoSa+swhvIeipqr RYTt59YDJKLp6PL/DlsASOvnk0rreq2b9erVpkdyZkNgMhQduR5wuprxCEqVWBA9 KNDnTH4VN7Ee8k0UMsABlQ2GET/j7g== =bysH -----END PGP SIGNATURE-----