Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
On 9/21/20 11:19 AM, Андрей Гвоздев wrote:
I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
I think this is quite normal, for any server, if you do not run any service that blocks IPs after n failed login attempts.
Always make sure to fix any zero days in your SSH service fast and use a safe authentication method (maybe key based).
Regards yl
On 9/21/20 12:19 PM, Андрей Гвоздев wrote:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
That is normal for any outwardly facing SSH server, Tor or not. The established best practice is considered to be deploying SSH key- or SSH certificate-based authentication and then disabling password authentication.
On 2020-09-21 11:19:20, "Андрей Гвоздев" andrejgvozdev55@gmail.com wrote:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
Exposing a SSH server to the internet will get you lots of login attempts. Here are some things you SHOULD do to help the situation: Change the SSH default port. Disable the root login. Use key-based authentication.
I also found failed2ban had much less work to do, banning handful a day, not a thousand, by stopping ssh password authentication and using private key authentication. Something I should have done from the start anyway. It seems when if a server sends public key on attempted login and refuses password it stops the kiddies/robots from trying anymore.
Gerry
-----Original Message----- From: tor-relays tor-relays-bounces@lists.torproject.org On Behalf Of Toralf Förster Sent: 21 September 2020 14:53 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] SSH
On 9/21/20 1:52 PM, Logforme wrote:
Change the SSH default port.
AFAICT that helped but only fore a while. After few weeks/months the non-default port is discovered by (a probably more extensible port scan) and the failed login attempts continued.
Try setting it so it bans after 3 failed attempts
On Mon, Sep 21, 2020, 7:53 AM Toralf Förster toralf.foerster@gmx.de wrote:
On 9/21/20 1:52 PM, Logforme wrote:
Change the SSH default port.
AFAICT that helped but only fore a while. After few weeks/months the non-default port is discovered by (a probably more extensible port scan) and the failed login attempts continued.
-- Toralf
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 9/21/20 7:52 AM, Logforme wrote:
On 2020-09-21 11:19:20, "Андрей Гвоздев" andrejgvozdev55@gmail.com wrote:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
Exposing a SSH server to the internet will get you lots of login attempts.
Yes, this is normal for anyone running internet-facing systems, and there are as many mitigations as there are sysadmins.
Here are some things you SHOULD do to help the situation: Change the SSH default port.
Yes, this will lessen the number of entries in the relevant log file until the brute force attackers get more intelligent. Just understand this is not a security measure. It's more like a dose of obscurity to make log files less noisy.
Disable the root login.
+1
Use key-based authentication.
+1
Those are important and vital security measures, as is employing some sort of multi-factor authentication methods like Yubikey. (no, officially key-based SSH auth is not formally MFA...)
But the two ways to actually address the problem is either:
* network or host-based firewalling to limit connections based on the same source, rate, etc., which depends on the operating system you're running.
* there are also tools like fail2ban and so on that are popular.
* if you're running FreeBSD or NetBSD, try Christo's blacklistd. It might be ported to other OSs. If it's not, it should be...
HTH
g
On 21.09.2020 11:19, Андрей Гвоздев wrote:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
Maybe my step by step instructions can help. Ignore the PIVX stuff.
https://forum.pivx.org/index.php?threads/howto-setup-masternode-or-staker-wa...
Андрей Гвоздев wrote on 9/21/20 11:19 AM:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
Plenty, don't worry. Any IP with the ssh port open is targeted. Make sure you keep your server safe as suggested in the other answers. Fail2ban may also help.
Bye, Marco https://metrics.torproject.org/rs.html#details/A4E74410D83705EEFF24BC265DE2B...
Hello again, if you setup Fail2ban or similar, please make sure it does not send out abuse emails, Fail2ban-Spam or similar is alot of work for Tor Exit operators.
Regards yl
On 9/21/20 11:19 AM, Андрей Гвоздев wrote:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
breaking the top-post....
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
This is one of those issues that you figure out your own preferred method over time as you run public services over the internet.
First, where do you see the message? Not sure about your operating system, but if it's dumping the failed logins to your screen on you're on a Unix-like operating system, you should probably check your /etc/syslog.conf. Dumping failed ssh logins to a file like /var/log/authlog makes more sense.
Second, make sure you're following the basics with SSHD security. Require keys or Yubikey etc and don't rely on password security for SSH access.
You could consider fail2ban and similar tools, but consider either your host-based firewall or better yet, an upstream network firewall. Rate-limiting SSH attempts, blacklisting based on bogon addresses, etc, will bring you part of the way.
IMHO, the less third-party software you install on a Tor relay, the better off you are. More code means more surface area and more bugs.
The standard tenet of "there's no security with obscurity" rings true, but we're talking about log noise here, not security. Therefore, you might want to consider changing the TCP port SSHD is listening on. It will likely decrease the noise level.
The great secret SSHD security hack that I feel uncomfortable mentioning on a public list is... do SSH over IPv6 if you can. Seems like the bots haven't caught up to that yet.
g
On 22.09.2020 20:34, George wrote:
The great secret SSHD security hack that I feel uncomfortable mentioning on a public list is... do SSH over IPv6 if you can. Seems like the bots haven't caught up to that yet.
;-) Yeah, only 1 or 2 attempts/YEAR over IPv6 and thats a research project from a german uni.
I block SSH DDoS attack with iptables recent module: ## Drop incoming connections which make more than 4 connection attempts upon port 22 within ten minutes ## To list these damned IP's: 'nano /proc/net/xt_recent/ssh' or ## 'cat /proc/net/xt_recent/ssh > recent-ssh.txt' -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 600 --hitcount 4 -j DROP
Fail2ban Block Penetrants permanent:
[recidive] enabled = true # logpath = /var/log/fail2ban.log # banaction = %(banaction_allports)s bantime = -1 ; permanent findtime = 86400 ; 1 day maxretry = 6
I leave SSH on port 22, but pub-key auth is important and only one user or group is authorized to login. See AllowUsers user AllowGroups sshusers
tor-relays@lists.torproject.org
-
Dr Gerard Bulger -
Foxy -
George -
Lars Noodén -
lists@for-privacy.net -
Logforme -
Marco Predicatori -
Toralf Förster -
ylms -
Андрей Гвоздев