Dear guys,
I am now on my server with SSH and get the message during login:
...
Last failed login: Sat Feb 24 14:22:47 EST 2018 from 5.188.10.179 on ssh:notty There were 1343 failed login attempts since the last successful login.
...
This simple relay (no exit) is online since less days. Location Moldavia / Trabia Network; VPS
Is this amount of attacks regular? In the past i had a log file of 12MB on an other server - all failed logins.
It is not a problem. It is only for my feeling "Ok, That's right!".
Nickname node49c
Olaf
when you logof from your server must you close the port 22. can you portforward the 22 to another ?
regards Steffen TorGate torgate(at)linux-hus.dk OpenGPG 7FD5 65EF A4EF EEF3 7A13 4372 8409 49D6 01A2 0890
Am 24.02.2018 um 20:36 schrieb Olaf Grimm jeep665@posteo.de:
Dear guys,
I am now on my server with SSH and get the message during login:
...
Last failed login: Sat Feb 24 14:22:47 EST 2018 from 5.188.10.179 on ssh:notty There were 1343 failed login attempts since the last successful login.
...
This simple relay (no exit) is online since less days. Location Moldavia / Trabia Network; VPS
Is this amount of attacks regular? In the past i had a log file of 12MB on an other server - all failed logins.
It is not a problem. It is only for my feeling "Ok, That's right!".
Nickname node49c
Olaf
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 02/24/2018 08:36 PM, Olaf Grimm wrote:
I am now on my server with SSH and get the message during login:
Choose another port for SSH login and close all in-ports except ssh, ORPort and DirPort.
Configure it in /etc/ssh/sshd_config (eg.: "Port 12345") and for convenience define this in your local ~/.ssh/config too, eg.:#
Host <your ip address> <your public dns hostname> IdentityFile=~/.ssh/<your private key file> Port 12345
Hi Olaf,
SSH brute force attacks are commonplace on any internet facing server with port 22 open. You have a number of countermeasure options:
1) install fail2ban which will block anyone who fails a login 3 times 2) move SSH to a non standard port (preferably >1000) 3) reconfigure SSH to only allow login with keys instead of passwords - generate and successfully test login with a key first before you set this option 4) change the firewall to only allow logins from a specified IP address (yours if you have a static IP)
I recommend if you can that you implement all of these measures as they will improve your security and stop the attacks filling up your logfiles.
S
On February 24, 2018 7:36:16 PM UTC, Olaf Grimm jeep665@posteo.de wrote:
Dear guys,
I am now on my server with SSH and get the message during login:
...
Last failed login: Sat Feb 24 14:22:47 EST 2018 from 5.188.10.179 on ssh:notty There were 1343 failed login attempts since the last successful login.
...
This simple relay (no exit) is online since less days. Location Moldavia / Trabia Network; VPS
Is this amount of attacks regular? In the past i had a log file of 12MB on an other server - all failed logins.
It is not a problem. It is only for my feeling "Ok, That's right!".
Nickname node49c
Olaf
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
El 24/02/18 a las 19:54, Spiros Andreou escribió:
Hi Olaf,
SSH brute force attacks are commonplace on any internet facing server with port 22 open. You have a number of countermeasure options:
- install fail2ban which will block anyone who fails a login 3 times
libpam-abl could be a good option too, since it doesn't rely on parsing the log files.
On 02/24/2018 09:54 PM, Spiros Andreou wrote: [snip]
- install fail2ban which will block anyone who fails a login 3 times
- move SSH to a non standard port (preferably >1000)
- reconfigure SSH to only allow login with keys instead of passwords - generate and successfully test login with a key first before you set this option
- change the firewall to only allow logins from a specified IP address (yours if you have a static IP)
[snip]
1) Or else use SSHGuard which is a little easier. I think fail2ban did catch up with IPv6 support, which might or might not be relevant.
2) That quiets the logs for a while. But even when you are found again there won't be nearly as many attackers
3) Using keys and prohibiting passwords is probably the single most useful thing to make sure of here. It's also very easy.
4) Locking the firewall to accept incoming from only specific IP addresses isn't good if one moves around.
On 02/24/2018 09:36 PM, Olaf Grimm wrote: [snip]
Is this amount of attacks regular?
[snip]
When I ran a middle relay, it was constantly scanned quite heavily and not just for SSH services.
My 2 cents.
/Lars
tor-relays@lists.torproject.org
-
Lars Noodén -
Olaf Grimm -
Santiago R.R. -
Spiros Andreou -
Toralf Förster -
TorGate