On 05/01/18 22:03, Carlos E. R. wrote:
On Friday, 2018-01-05 at 18:50 +0100, gumb wrote:
I only know the very basics of ssh (and next to nothing useful of Linux security). When I access a remote openSUSE machine using a private key previously exchanged, as opposed to a basic password (note: the remote PC has a very 'standard' configuration and its firewall is activated), I usually check the system log in YaST and apply a filter 'ssh' starting from my previous date of access.
You can do this from the terminal without YaST. For instance:
journalctl | grep -i ssh | less
If you want to do this as user, not root, add your user to the group "systemd-journal" using Yast, users and groups management module, and login again.
It's probably worth making a note of. I use YaST simply because the main reason I ssh to that machine is to do updates and run the Software Management module. I started on SuSE before zypper was a thing so old habits die hard, YaST is just where I go to get things done.
There is nothing to worry about :-)
However, you may go one step further to avoid this, which as already suggested, is placing your ssh server in any very high port of your choosing. They will simply not find you unless they are specifically trying to access your machine and do a serious scan.
If you have, as most people, an access router, the place to do this is in the router. Say you want to move to the port 37453. Well, you configure your router to send incoming access to port 37453 to the internal machine 192.168.1.64 at port 22. That's all on the server side.
On the client side, however, you must tell the ssh client to connect on port 37453. You can edit the client file .ssh/config
Host yourserver.at.dyndns Port 37453
and it will happen automatically.
Of course, you have to test all this work before breaking the current session, and be locked out; or do it while you have physical access to the server machine.
There are other methods; what I described is for hardware under your full control, usually at home.
Yep, the port number was something I configured at the beginning to be non-standard, so hopefully this scan was just a lucky hit. However, I've just thought of something. It's well over a year since I first got ssh set up and in that time nothing's ever shown up in the logs. I was at the other location just a week or so ago, and on the 26th December attempted to configure ssh in the reverse direction to my main machine left switched on at home. I simply generated the ssh key then attempted the ssh-copy-id command, but it would hang and eventually produce an error message that I've forgotten. Just an inaccessible machine or whatever. I don't know why and haven't looked into it enough. Both machines run openSUSE 42.3 and have been configured for ssh identically so far as I'm aware, and I saw nothing obvious in my main machine's logs when I returned home to suggest even any attempt at an ssh connection. But it was just two days later that the first of these two failed access attempts from a Cypriot server shows up in the remote machine's logs. Which is just a bit too coincidental for comfort. Is there any way that a ssh-copy-id command can be intercepted enough so as to trace the sender's port number? gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org