improving security of sshd without using add-ons like fail2ban
Actviated the firewall and was considering installing fail2ban to limit access to my open ssh port.
However doing so involved adding yet another layer to my system. That and the modifications made by
fail2ban to the iptables would not be persistent, but would mesh with the firewall. Thinking about it
making the drop of the IP persistent isn't helpful and could break a valid user later. For the last 20
years or more I've run Linux without a firewall. Only reason I'm doing it now is to make sure the system
only has to withstand attacks on open ports. Which brought me to the log files for ssh, and the multitude
of attacks. Fail2ban would monitor the attempts and then slow the attacker down for a set period of time.
The thing about ssh use on my systems is that all of the users would be using ssh keys or authorized tools
that could connect. So I decided to block root access completely, and then limit the attempts to one time,
and then only for a specific user, or users. I don't believe that adding "DenyUsers" is necessary. Attempting
to log in via a valid account with this configuration was not permitted unless the name was allowed. An
example of what happened with a valid login on a non-allowed user with the correct password is shown below.
Tighnening up ssh didn't require a lot. The system in test has only one user. This makes these setting easier.
If there were multiple ssh users I'd possibly have to increase some of the values. As always, YMMV.
some tweaks to /etc/ssh/sshd_config
- make sure root couldn't log in directly.: PermitRootLogin no
- specify which users can ssh in: AllowUsers luser
- force only one version of ssh: Protocol 2
- give the person ONE try: MaxAuthTries 1
- reduce the number of starting connetions: MaxStartups 2:50:5
- reduce the login grace time from 2 min: LoginGraceTime 30
- restart sshd # service sshd restart
# # change MaxStartups from the default of "10" to "2:50:5".
# # The colon separated values tells the ssh server to, "allow 2 users to attempt logging in at the same time,
# # and to randomly and increasingly drop connection attempts between 2 and the maximum of 5".
# # Note: should increase value on servers with substantial numbers of valid ssh users logging in.
# # Default: MaxStartups 10
#
# #Reduce the maximum amount of time allowed to successfully login before disconnecting.
# # The default is 2 minutes which is too long to have an open unauthenticated connection attempt
# # 30 seconds is more than enough time to log in: # # Default: LoginGraceTime 2m # --> LoginGraceTime 30
EVEN with the correct password root fails, as does any user except "AllowUsers":
--> ssh -l root 192.168.11.xx
Password:
Received disconnect from 192.168.11.xx port 22:2: Too many authentication failures
Connection to 192.168.11.xx closed by remote host.
Connection to 192.168.11.xx closed.
Watched journalctl for a while and observed the disconnects:
--> journalctl -f | grep ssh
Jun 21 23:18:09 the-linux-system sshd[23682]: error: PAM: User not known to the underlying authentication module for illegal user admin from 103.79.142.31
Jun 21 23:18:09 the-linux-system sshd[23682]: error: maximum authentication attempts exceeded for invalid user admin from 103.79.142.31 port 52295 ssh2 [preauth]
Jun 21 23:24:06 the-linux-system sshd[23694]: error: maximum authentication attempts exceeded for invalid user root from 190.49.255.143 port 42263 ssh2 [preauth]
Jun 21 23:27:53 the-linux-system sshd[23703]: error: maximum authentication attempts exceeded for invalid user oracle from 201.20.73.3 port 56130 ssh2 [preauth]
Jun 21 23:49:37 the-linux-system sshd[23830]: error: maximum authentication attempts exceeded for invalid user admin from 190.178.18.218 port 59625 ssh2 [preauth]
Jun 22 00:01:15 the-linux-system sshd[24123]: error: maximum authentication attempts exceeded for invalid user root from 119.193.140.180 port 41792 ssh2 [preauth]
Jun 22 00:17:45 the-linux-system sshd[24276]: error: maximum authentication attempts exceeded for invalid user root from 201.20.73.3 port 49076 ssh2 [preauth]
|