Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SSH Auth.log Some security questions
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SSH Auth.log Some security questions

GM2015GM2015 Member
edited July 2015 in Help

I've recently figured out how to setup backups for my Digitalocean server. I've been rsyncing it to my RPI at home. I've setup our router to port forward port 22 to my pi and so far it works.

I'm not surprised to see attacks on auth.log, since root and pi isn't allowed to login. I only allow custom usernames, no password auth, just encrypted pub/priv keys.

Here's my ufw status output:
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
68/udp ALLOW Anywhere
443/tcp ALLOW Anywhere

Forgot to add default is deny all incoming.

I assume I could limit 22 to only certain IPs I control, but that would right now be pointless due to going on holiday and taking the RPI with me, so IPs gonna change.

80 and 443 is for internal development only, it's not port forwarded. No email server or anything on the pi.

These are my main settings from etc ssh ssh_config:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
PasswordAuthentication no
AllowUsers user1 user2
RSAAuthentication yes
PubkeyAuthentication yes

AuthorizedKeysFile %h/.ssh/authorized_keys

Port 22

So everything is standard.

Anything else to do to secure this rpi from botnets?

Comments

  • ATHKATHK Member

    If you're that worried, grab fail2ban or CSF and ban those attackers after X attempts.

  • IkoulaIkoula Member, Host Rep

    Hello,

    Assuming you're trying to secure ssh connexion, since many bots are set up to attack on port 22 i would set another port in ssh service configuration.

  • getvpsgetvps Member
    edited July 2015

    By changing default port to uncommon one will remove 99,99% of mass attacks.
    If someone bruteforce single target (you & bruteforce is only one ssh known attack) fail2ban & checking your AllowUsers hashes "/ etc / shadow" with something like JohntheRipper to see if you have poor passwords and fix it.

  • 4n0nx4n0nx Member

    Just use key auth or a long password. Done.

  • Your config looks fine. When you can do limit access to certain IPs. For now it's fine.

    To speed up logins add this:

    UseDNS no

    And to automatically timeout dropped connections:

    ClientAliveInterval 30 ClientAliveCountMax 4

    4x30=120 seconds. Connection times out after 120 seconds of no responses to pings.

    Thanked by 1GM2015
  • GM2015GM2015 Member
    edited July 2015

    Is there a way to implement a waiting time before someone can reconnect without installing fail2ban??
    I mean a brute forcer attack every few seconds. They've been trying to brute force my vps on DO, but without keys and key passwords get nowhere.

    Abdussamad said: Your config looks fine. When you can do limit access to certain IPs. For now it's fine.

    To speed up logins add this:
    UseDNS no
    And to automatically timeout dropped connections:
    ClientAliveInterval 30
    ClientAliveCountMax 4
    4x30=120 seconds. Connection times out after 120 seconds of no responses to pings.

    Well, I assume even if they manage to get in, passwords of 100 character + long can be long to crack. Probably I'm wrong.

    4n0nx said: Just use key auth or a long password. Done.

  • AbdussamadAbdussamad Member
    edited July 2015

    GM2015 said: Is there a way to implement a waiting time before someone can reconnect without installing fail2ban??

    I mean a brute forcer attack every few seconds. They've been trying to brute force my vps on DO, but without keys and key passwords get nowhere.

    Let them keep trying. It doesn't hurt you. I've been told this leads to entropy pool depletion but I think that's bunk. You only need 2^8 bits of entropy to initialize the OS CSPRNG and then you're good for a long time.

  • GM2015GM2015 Member
    edited July 2015

    I tell you I really try to understand people here with all their technical talk, but I'm a mere peasant. However, nodns lookups on sshd seems to have speeded up my rpi logins, lol, so thanks for that.

    It took usually 3-5 seconds to see any response on putty, now it's nearly instant.

    Abdussamad said: Let them keep trying. It doesn't hurt you. I've been told this leads to entropy pool depletion but I think that's bunk. You only need 8 bytes of entropy to initialize the OS CSPRNG and then you're good for a long time.

  • AltAlt Member

    @GM2015: you've disabled authentication by password, so keep your configuration like that, don't waste your time by changing the SSH port or installing fail2ban.

    Thanked by 1GM2015
  • getvpsgetvps Member

    Disable vs Secure! :) SSH is not a ''public'' service for all peoples.. like public httpd. So! A better solution in this case is to configure your firewall right, and accept ssh connections just from known sources. If some vulns on ssh will appear (not impossible) him will become exactly the victim of botnets/other. So, is better to keep hidden what is not for everyone..

  • Change the default SSH port to something random

    Ignore the Obscurity isn't security brigade

    Thanked by 1NanoG6
  • getvpsgetvps Member

    Ok! Security mode. 1) Disable Passwords 2) Use keyauth 3) Use OTP 4) Firewall 5) Connect only from secure VPN. 6) Change Port 7) Fail2Ban + Add alerts fail/success logins 8) Chroot
    ... talk to NSA to remove your ip from PRISM ... change default crypto configuration to ultra safe set... read docs about hardware tempest.. and now you're James Bond! (Oh no,you will be owned by browser..)

    But simple response about botnets and 'normal' attacks of kids is to change port 22. If you leave 22 open (very secure sshd) you will be attacked everyday anyway. (Attemp = Attack)

  • ATHKATHK Member

    Hardly any of you have read the OP, you keep suggesting things that's already implemented on the posters box..

    I know you all want to get your post counts up .. but come on.

    Thanked by 1GM2015
  • GM2015GM2015 Member

    I thought lowendtalkers had some kind of magic wand which they waved and secured their boxes. But thanks for the suggestions.

    I'm fine I think. If they want to steal dick pictures, let them try.

  • ATHKATHK Member

    @GM2015 said:
    I thought lowendtalkers had some kind of magic wand which they waved and secured their boxes. But thanks for the suggestions.

    I'm fine I think. If they want to steal dick pictures, let them try.

    Honestly, SSH key + Passphrase is all you're going to need.

    Like I mentioned if you're sick of seeing constant hits from IP ranges to port 22 and don't want to change the SSH port install fail2ban or CSF and ban those IP's from further attempts.

    Apart from that, what you've done is great and I applaud you! I know so many people that just use passwords thinking it's secure if they have a few special characters..

  • GM2015GM2015 Member
    edited July 2015

    Reading lowendtalk, seo and marketing forums got me paranoid enough.

    ATHK said: Honestly, SSH key + Passphrase is all you're going to need.

    Like I mentioned if you're sick of seeing constant hits from IP ranges to port 22 and don't want to change the SSH port install fail2ban or CSF and ban those IP's from further attempts.
    Apart from that, what you've done is great and I applaud you! I know so many people that just use passwords thinking it's secure if they have a few special characters..

Sign In or Register to comment.