Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Help Needed] Prevent bruteforce and only whitelist dynamic IP?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Help Needed] Prevent bruteforce and only whitelist dynamic IP?

wjtwjt Member
edited May 2017 in Help

I've set up multiple servers without realizing i'm getting constant bruteforce attempt until someone alerted me about it. Since then i found some other threads saying it is pretty common.

I've found a few solutions online and attempting to replicate a prevention.

I'm the only one using the server, and it's disabled from outside access (ie it's not a webserver), so a fail2ban doesn't fit my requirements.

My main concern is the size of my auth.log and btmp is getting filled up all the time. I have ubuntu and thought it already has logrotate setup to rotate such logs but it didn't.

How can i prevent the auth.log and btmp from logging failed attempts and only show me successful login? Which also means, if a bruteforce worked, then i'm screwed, rather than looking at thousands of failed logins.

Comments

  • Gamma17Gamma17 Member
    edited May 2017

    If someone is bruteforcing you it means that your ssh is not "disabled from outside access".
    Your will either need to setup fail2ban or disable password auth alltogether and use keys.

  • wjtwjt Member
    edited May 2017

    Gamma17 said: disable password auth alltogether and use keys

    If i disable password auth and only use keys, does it prevent the failed attempt log from logging into auth.log and btmp?

    And does it prevent my resources from being consumed?

  • seanhoseanho Member

    If you're primarily concerned about log spam, just change the ssh port. It's not complete security, and of course you should also use public keys, an unprivileged user, disable root login, restrict to secure ciphers, etc. But moving the port will cut 99% of those attempts.

  • wjtwjt Member
    edited May 2017

    seanho said: change the ssh port

    The majority of what's reported in my auth.log is people trying all sorts of ports and in fact the lesser ones is port 22.

    Also what i wanted to achive is probaly simplified in such way:

    Me: IP and auth is correct - Login

    Others: Deny all, don't bother to log attempt, don't hit any server resources

  • shellshell Member

    change ssh port and i never get bruteforce again

  • Gamma17Gamma17 Member
    edited May 2017

    @wjt said:
    If i disable password auth and only use keys, does it prevent the failed attempt log from logging into auth.log and btmp?

    And does it prevent my resources from being consumed?

    It is pointless to try bruteforcing with keys, so basically yes.
    Changing port may be a good idea too, if you do not use your server for anything public like hosting a site it is highly unlikely that someone will bother with port scan to figure out where your ssh is.

  • niceboyniceboy Veteran

    Ssh port changing should enough as a first step.

  • seanhoseanho Member

    Wait, how are connections to ports you're not listening on being logged in your auth.log? sshd is only listening on one port. If the log spam you're seeing is from iptables, and not specifically ssh, then just adjust your firewall rules to drop the connections without logging.

  • Mark_O_PoloMark_O_Polo Member
    edited May 2017

    Based on your question. The below will get you started. You will have to know how to setup ddns, crontab -e and basic firewall. Don't get yourself locked out... Read all instructions before setup.

    https://unix.stackexchange.com/questions/91701/ufw-allow-traffic-only-from-a-domain-with-dynamic-ip-address#91711

    https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw

    Lastly, use the command "last" to show successful login connections.

    (Edit: I would always recommend a static IP whitelist as well. In case anything goes wrong with your ddns you have another way back in. It can even be another VPS you have.
    Do use fail2ban as well. With your whitelist setup one could argue it's not necessary but in this case more is better than less.)

  • r0xzr0xz Member

    setup a cron job to delete old logs.

    and send alert upon successful login through ssh
    https://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

Sign In or Register to comment.