All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SSH Auth.log Some security questions
I've recently figured out how to setup backups for my Digitalocean server. I've been rsyncing it to my RPI at home. I've setup our router to port forward port 22 to my pi and so far it works.
I'm not surprised to see attacks on auth.log, since root and pi isn't allowed to login. I only allow custom usernames, no password auth, just encrypted pub/priv keys.
Here's my ufw status output:
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
68/udp ALLOW Anywhere
443/tcp ALLOW Anywhere
Forgot to add default is deny all incoming.
I assume I could limit 22 to only certain IPs I control, but that would right now be pointless due to going on holiday and taking the RPI with me, so IPs gonna change.
80 and 443 is for internal development only, it's not port forwarded. No email server or anything on the pi.
These are my main settings from etc ssh ssh_config:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
PasswordAuthentication no
AllowUsers user1 user2
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Port 22
So everything is standard.
Anything else to do to secure this rpi from botnets?
Comments
If you're that worried, grab fail2ban or CSF and ban those attackers after X attempts.
Hello,
Assuming you're trying to secure ssh connexion, since many bots are set up to attack on port 22 i would set another port in ssh service configuration.
By changing default port to uncommon one will remove 99,99% of mass attacks.
If someone bruteforce single target (you & bruteforce is only one ssh known attack) fail2ban & checking your AllowUsers hashes "/ etc / shadow" with something like JohntheRipper to see if you have poor passwords and fix it.
Just use key auth or a long password. Done.
Your config looks fine. When you can do limit access to certain IPs. For now it's fine.
To speed up logins add this:
UseDNS no
And to automatically timeout dropped connections:
ClientAliveInterval 30 ClientAliveCountMax 4
4x30=120 seconds. Connection times out after 120 seconds of no responses to pings.
Is there a way to implement a waiting time before someone can reconnect without installing fail2ban??
I mean a brute forcer attack every few seconds. They've been trying to brute force my vps on DO, but without keys and key passwords get nowhere.
To speed up logins add this:
UseDNS no
And to automatically timeout dropped connections:
ClientAliveInterval 30
ClientAliveCountMax 4
4x30=120 seconds. Connection times out after 120 seconds of no responses to pings.
Well, I assume even if they manage to get in, passwords of 100 character + long can be long to crack. Probably I'm wrong.
I mean a brute forcer attack every few seconds. They've been trying to brute force my vps on DO, but without keys and key passwords get nowhere.
Let them keep trying. It doesn't hurt you. I've been told this leads to entropy pool depletion but I think that's bunk. You only need 2^8 bits of entropy to initialize the OS CSPRNG and then you're good for a long time.
I tell you I really try to understand people here with all their technical talk, but I'm a mere peasant. However, nodns lookups on sshd seems to have speeded up my rpi logins, lol, so thanks for that.
It took usually 3-5 seconds to see any response on putty, now it's nearly instant.
@GM2015: you've disabled authentication by password, so keep your configuration like that, don't waste your time by changing the SSH port or installing fail2ban.
Disable vs Secure! SSH is not a ''public'' service for all peoples.. like public httpd. So! A better solution in this case is to configure your firewall right, and accept ssh connections just from known sources. If some vulns on ssh will appear (not impossible) him will become exactly the victim of botnets/other. So, is better to keep hidden what is not for everyone..
Change the default SSH port to something random
Ignore the Obscurity isn't security brigade
Ok! Security mode. 1) Disable Passwords 2) Use keyauth 3) Use OTP 4) Firewall 5) Connect only from secure VPN. 6) Change Port 7) Fail2Ban + Add alerts fail/success logins 8) Chroot
... talk to NSA to remove your ip from PRISM ... change default crypto configuration to ultra safe set... read docs about hardware tempest.. and now you're James Bond! (Oh no,you will be owned by browser..)
But simple response about botnets and 'normal' attacks of kids is to change port 22. If you leave 22 open (very secure sshd) you will be attacked everyday anyway. (Attemp = Attack)
Hardly any of you have read the OP, you keep suggesting things that's already implemented on the posters box..
I know you all want to get your post counts up .. but come on.
I thought lowendtalkers had some kind of magic wand which they waved and secured their boxes. But thanks for the suggestions.
I'm fine I think. If they want to steal dick pictures, let them try.
Honestly, SSH key + Passphrase is all you're going to need.
Like I mentioned if you're sick of seeing constant hits from IP ranges to port 22 and don't want to change the SSH port install fail2ban or CSF and ban those IP's from further attempts.
Apart from that, what you've done is great and I applaud you! I know so many people that just use passwords thinking it's secure if they have a few special characters..
Reading lowendtalk, seo and marketing forums got me paranoid enough.
Like I mentioned if you're sick of seeing constant hits from IP ranges to port 22 and don't want to change the SSH port install fail2ban or CSF and ban those IP's from further attempts.
Apart from that, what you've done is great and I applaud you! I know so many people that just use passwords thinking it's secure if they have a few special characters..