tr0910 Posted December 19, 2016 Share Posted December 19, 2016 I am backing up my server over the internet to another unRaid server over SSH so I have port 22 forwarded on the destination router. I have hardened SSH using the SSH_Config plugin to deny password login, and only accept logins by keys. However, the bad guys still want in, and I don't seem to be getting denyhosts from the same plugin author working on 6.2.4 http://lime-technology.com/forum/index.php?topic=47289.msg523047#msg523047 What should I do to bolt it down a little tighter?? (In the last 24 hours, I have had over 3500 attempts to login from 30 different IP's One IP is creating over 1/2 of the attempts. I would like to ban IP based on their attempts to logged attempts to login unsuccessfully. ) For example: (warning many lines from syslog) Dec 17 15:19:15 Server1 sshd[22277]: Received disconnect from 121.18.238.109 port 40257:11: [preauth] Dec 17 15:19:15 Server1 sshd[22277]: Disconnected from 121.18.238.109 port 40257 [preauth] Dec 17 15:19:50 Server1 sshd[22424]: Received disconnect from 221.194.44.219 port 49843:11: [preauth] Dec 17 15:19:50 Server1 sshd[22424]: Disconnected from 221.194.44.219 port 49843 [preauth] Dec 17 15:20:51 Server1 sshd[22708]: Received disconnect from 221.194.47.229 port 44863:11: [preauth] Dec 17 15:20:51 Server1 sshd[22708]: Disconnected from 221.194.47.229 port 44863 [preauth] Dec 17 15:21:34 Server1 sshd[23000]: Received disconnect from 121.18.238.109 port 38959:11: [preauth] Dec 17 15:21:34 Server1 sshd[23000]: Disconnected from 121.18.238.109 port 38959 [preauth] Dec 17 15:23:10 Server1 sshd[23534]: Received disconnect from 221.194.44.224 port 37053:11: [preauth] Dec 17 15:23:10 Server1 sshd[23534]: Disconnected from 221.194.44.224 port 37053 [preauth] Dec 17 15:23:36 Server1 sshd[23633]: Received disconnect from 221.194.47.208 port 36092:11: [preauth] Dec 17 15:23:36 Server1 sshd[23633]: Disconnected from 221.194.47.208 port 36092 [preauth] Dec 17 15:26:38 Server1 sshd[24575]: Received disconnect from 221.194.47.224 port 49702:11: [preauth] Dec 17 15:26:38 Server1 sshd[24575]: Disconnected from 221.194.47.224 port 49702 [preauth] Dec 17 15:27:26 Server1 sshd[24858]: Received disconnect from 221.194.47.229 port 41578:11: [preauth] Dec 17 15:27:26 Server1 sshd[24858]: Disconnected from 221.194.47.229 port 41578 [preauth] Dec 17 15:27:57 Server1 sshd[24978]: Received disconnect from 221.194.44.195 port 52730:11: [preauth] Dec 17 15:27:57 Server1 sshd[24978]: Disconnected from 221.194.44.195 port 52730 [preauth] Dec 17 15:28:43 Server1 sshd[25207]: Received disconnect from 121.18.238.104 port 56775:11: [preauth] Dec 17 15:28:43 Server1 sshd[25207]: Disconnected from 121.18.238.104 port 56775 [preauth] Dec 17 15:31:16 Server1 sshd[26065]: Received disconnect from 221.194.44.195 port 44378:11: [preauth] Dec 17 15:31:16 Server1 sshd[26065]: Disconnected from 221.194.44.195 port 44378 [preauth] Dec 17 15:31:47 Server1 sshd[26200]: Received disconnect from 121.18.238.104 port 40030:11: [preauth] Dec 17 15:31:47 Server1 sshd[26200]: Disconnected from 121.18.238.104 port 40030 [preauth] Dec 17 15:34:22 Server1 sshd[27042]: Received disconnect from 221.194.47.229 port 39632:11: [preauth] Dec 17 15:34:22 Server1 sshd[27042]: Disconnected from 221.194.47.229 port 39632 [preauth] Dec 17 15:36:52 Server1 sshd[27799]: Received disconnect from 221.194.47.224 port 56669:11: [preauth] Dec 17 15:36:52 Server1 sshd[27799]: Disconnected from 221.194.47.224 port 56669 [preauth] Dec 17 15:37:09 Server1 sshd[27943]: Received disconnect from 221.194.44.224 port 52491:11: [preauth] Dec 17 15:37:09 Server1 sshd[27943]: Disconnected from 221.194.44.224 port 52491 [preauth] Dec 17 15:37:49 Server1 sshd[28090]: Received disconnect from 221.194.44.231 port 56014:11: [preauth] Dec 17 15:37:49 Server1 sshd[28090]: Disconnected from 221.194.44.231 port 56014 [preauth] Dec 17 15:39:47 Server1 sshd[28723]: Received disconnect from 121.18.238.104 port 42416:11: [preauth] Dec 17 15:39:47 Server1 sshd[28723]: Disconnected from 121.18.238.104 port 42416 [preauth] Dec 17 15:40:57 Server1 sshd[29075]: Received disconnect from 221.194.44.195 port 41836:11: [preauth] Dec 17 15:40:57 Server1 sshd[29075]: Disconnected from 221.194.44.195 port 41836 [preauth] Dec 17 15:41:52 Server1 sshd[29371]: Received disconnect from 221.194.47.229 port 36960:11: [preauth] Dec 17 15:41:52 Server1 sshd[29371]: Disconnected from 221.194.47.229 port 36960 [preauth] Dec 17 15:42:58 Server1 sshd[29715]: Received disconnect from 221.194.47.224 port 40100:11: [preauth] Dec 17 15:42:58 Server1 sshd[29715]: Disconnected from 221.194.47.224 port 40100 [preauth] Dec 17 15:45:02 Server1 sshd[30360]: Received disconnect from 221.194.44.224 port 44602:11: [preauth] Dec 17 15:45:02 Server1 sshd[30360]: Disconnected from 221.194.44.224 port 44602 [preauth] Dec 17 15:45:16 Server1 sshd[30493]: Received disconnect from 121.18.238.98 port 47550:11: [preauth] Dec 17 15:45:16 Server1 sshd[30493]: Disconnected from 121.18.238.98 port 47550 [preauth] Dec 17 15:46:50 Server1 sshd[30933]: Received disconnect from 106.3.46.117 port 32849:11: Bye Bye [preauth] Dec 17 15:46:50 Server1 sshd[30933]: Disconnected from 106.3.46.117 port 32849 [preauth] Dec 17 15:48:38 Server1 sshd[31542]: Received disconnect from 221.194.47.249 port 40295:11: [preauth] Dec 17 15:48:38 Server1 sshd[31542]: Disconnected from 221.194.47.249 port 40295 [preauth] Dec 17 15:49:42 Server1 sshd[31874]: Received disconnect from 221.194.47.249 port 52805:11: [preauth] Dec 17 15:49:42 Server1 sshd[31874]: Disconnected from 221.194.47.249 port 52805 [preauth] Dec 17 15:51:03 Server1 sshd[32354]: Received disconnect from 221.194.47.229 port 49887:11: [preauth] Dec 17 15:51:03 Server1 sshd[32354]: Disconnected from 221.194.47.229 port 49887 [preauth] Dec 17 15:51:09 Server1 sshd[32410]: Received disconnect from 221.194.44.195 port 46708:11: [preauth] Dec 17 15:51:09 Server1 sshd[32410]: Disconnected from 221.194.44.195 port 46708 [preauth] Dec 17 15:52:53 Server1 sshd[448]: Received disconnect from 121.18.238.109 port 51936:11: [preauth] Dec 17 15:52:53 Server1 sshd[448]: Disconnected from 121.18.238.109 port 51936 [preauth] Dec 17 15:55:30 Server1 sshd[1392]: Received disconnect from 221.194.44.219 port 33278:11: [preauth] Dec 17 15:55:30 Server1 sshd[1392]: Disconnected from 221.194.44.219 port 33278 [preauth] Dec 17 15:59:38 Server1 sshd[2694]: Received disconnect from 121.18.238.98 port 45451:11: [preauth] Dec 17 15:59:38 Server1 sshd[2694]: Disconnected from 121.18.238.98 port 45451 [preauth] Dec 17 16:00:15 Server1 sshd[2919]: Received disconnect from 121.18.238.109 port 35244:11: [preauth] Dec 17 16:00:15 Server1 sshd[2919]: Disconnected from 121.18.238.109 port 35244 [preauth] Dec 17 16:01:53 Server1 sshd[3383]: Received disconnect from 121.18.238.114 port 38344:11: [preauth] Dec 17 16:01:53 Server1 sshd[3383]: Disconnected from 121.18.238.114 port 38344 [preauth] Dec 17 16:05:18 Server1 sshd[4486]: Received disconnect from 121.18.238.104 port 53451:11: [preauth] Dec 17 16:05:18 Server1 sshd[4486]: Disconnected from 121.18.238.104 port 53451 [preauth] Dec 17 16:07:05 Server1 sshd[5075]: Received disconnect from 221.194.44.231 port 48716:11: [preauth] Dec 17 16:07:05 Server1 sshd[5075]: Disconnected from 221.194.44.231 port 48716 [preauth] Dec 17 16:14:24 Server1 sshd[7342]: Received disconnect from 221.194.47.229 port 35543:11: [preauth] Dec 17 16:14:24 Server1 sshd[7342]: Disconnected from 221.194.47.229 port 35543 [preauth] Dec 17 16:17:56 Server1 sshd[8423]: Did not receive identification string from 123.31.31.157 port 61019 Dec 17 16:17:58 Server1 sshd[8429]: Invalid user support from 123.31.31.157 port 61796 Dec 17 16:17:58 Server1 sshd[8429]: input_userauth_request: invalid user support [preauth] Dec 17 16:17:59 Server1 sshd[8429]: error: Received disconnect from 123.31.31.157 port 61796:3: com.jcraft.jsch.JSchException: Auth fail [preauth] Dec 17 16:17:59 Server1 sshd[8429]: Disconnected from 123.31.31.157 port 61796 [preauth] Dec 17 16:21:52 Server1 sshd[9708]: Received disconnect from 221.194.44.224 port 60166:11: [preauth] Dec 17 16:21:52 Server1 sshd[9708]: Disconnected from 221.194.44.224 port 60166 [preauth] Dec 17 16:25:31 Server1 sshd[11053]: Received disconnect from 221.194.47.208 port 43136:11: [preauth] Dec 17 16:25:31 Server1 sshd[11053]: Disconnected from 221.194.47.208 port 43136 [preauth] Dec 17 16:37:20 Server1 sshd[14770]: Received disconnect from 121.18.238.109 port 53932:11: [preauth] Dec 17 16:37:20 Server1 sshd[14770]: Disconnected from 121.18.238.109 port 53932 [preauth] Dec 17 16:46:25 Server1 sshd[17611]: Received disconnect from 222.239.10.143 port 37487:11: Bye Bye [preauth] Dec 17 16:46:25 Server1 sshd[17611]: Disconnected from 222.239.10.143 port 37487 [preauth] Dec 17 16:56:23 Server1 sshd[20794]: Received disconnect from 221.194.44.231 port 43393:11: [preauth] Dec 17 16:56:23 Server1 sshd[20794]: Disconnected from 221.194.44.231 port 43393 [preauth] Dec 17 17:10:10 Server1 sshd[25124]: Invalid user admin from 111.73.45.188 port 4216 Dec 17 17:10:10 Server1 sshd[25124]: input_userauth_request: invalid user admin [preauth] Dec 17 17:10:10 Server1 sshd[25124]: Connection reset by 111.73.45.188 port 4216 [preauth] Dec 17 17:50:42 Server1 sshd[5510]: Did not receive identification string from 113.108.21.16 port 30715 Dec 17 18:01:59 Server1 sshd[9045]: Received disconnect from 221.194.44.219 port 48810:11: [preauth] Dec 17 18:01:59 Server1 sshd[9045]: Disconnected from 221.194.44.219 port 48810 [preauth] Dec 17 18:05:40 Server1 sshd[10398]: Received disconnect from 221.194.47.224 port 52949:11: [preauth] Dec 17 18:05:40 Server1 sshd[10398]: Disconnected from 221.194.47.224 port 52949 [preauth] Dec 17 18:15:22 Server1 sshd[13460]: Received disconnect from 121.18.238.109 port 33661:11: [preauth] Dec 17 18:15:22 Server1 sshd[13460]: Disconnected from 121.18.238.109 port 33661 [preauth] Dec 17 18:37:59 Server1 sshd[20557]: Received disconnect from 221.194.47.229 port 56573:11: [preauth] Dec 17 18:37:59 Server1 sshd[20557]: Disconnected from 221.194.47.229 port 56573 [preauth] Dec 17 19:42:10 Server1 sshd[8471]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 43248 ssh2 [preauth] Dec 17 19:42:10 Server1 sshd[8471]: Disconnecting: Too many authentication failures [preauth] Dec 17 19:42:15 Server1 sshd[8494]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 51064 ssh2 [preauth] Dec 17 19:42:15 Server1 sshd[8494]: Disconnecting: Too many authentication failures [preauth] Dec 17 19:42:21 Server1 sshd[8521]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 58205 ssh2 [preauth] Dec 17 19:42:21 Server1 sshd[8521]: Disconnecting: Too many authentication failures [preauth] Dec 17 19:42:27 Server1 sshd[8548]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 2122 ssh2 [preauth] Dec 17 19:42:27 Server1 sshd[8548]: Disconnecting: Too many authentication failures [preauth] Dec 17 19:42:33 Server1 sshd[8575]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 10968 ssh2 [preauth] Dec 17 19:42:33 Server1 sshd[8575]: Disconnecting: Too many authentication failures [preauth] Dec 17 19:42:39 Server1 sshd[8606]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 19736 ssh2 [preauth] Dec 17 19:42:39 Server1 sshd[8606]: Disconnecting: Too many authentication failures [preauth] Dec 17 19:42:45 Server1 sshd[8629]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 28418 ssh2 [preauth] Dec 17 19:42:45 Server1 sshd[8629]: Disconnecting: Too many authentication failures [preauth] Quote Link to comment
moose Posted December 19, 2016 Share Posted December 19, 2016 Not sure what router you are using. If you were using pfSense you could setup a rule to block an IP address, series or range of IP addresses. I'd look at your router and see if you can block WAN IP address(es). Quote Link to comment
tr0910 Posted December 19, 2016 Author Share Posted December 19, 2016 Not sure what router you are using. If you were using pfSense you could setup a rule to block an IP address, series or range of IP addresses. I'd look at your router and see if you can block WAN IP address(es). I can do that, or use the hosts.deny file, but the denyhosts plugin sounds like an elegant way to do it. But I don't seem to be able to get it running presently. Quote Link to comment
METDeath Posted December 19, 2016 Share Posted December 19, 2016 You can also port forward and use different external ports than 22. Quote Link to comment
tr0910 Posted December 19, 2016 Author Share Posted December 19, 2016 fail2ban I see a docker for lets encrypt with fail2ban included. Is this what you meant? Doesn't seem that there is much other discussion of fail2ban.... http://lime-technology.com/forum/index.php?topic=39413.0 Quote Link to comment
aptalca Posted December 19, 2016 Share Posted December 19, 2016 switching to a different random port for ssh will cut down on those attempts significantly Quote Link to comment
m4f1050 Posted June 25, 2018 Share Posted June 25, 2018 (edited) Jun 25 09:44:13 MMPC sshd[20914]: Failed password for root from 58.218.198.168 port 38471 ssh2 Jun 25 09:44:13 MMPC sshd[20914]: Received disconnect from 58.218.198.168 port 38471:11: [preauth] Jun 25 09:44:13 MMPC sshd[20914]: Disconnected from authenticating user root 58.218.198.168 port 38471 [preauth] Jun 25 09:44:37 MMPC sshd[20951]: Failed password for root from 58.218.198.168 port 51533 ssh2 Jun 25 09:44:37 MMPC sshd[20951]: Failed password for root from 58.218.198.168 port 51533 ssh2 Jun 25 09:44:38 MMPC sshd[20951]: Failed password for root from 58.218.198.168 port 51533 ssh2 Jun 25 09:44:38 MMPC sshd[20951]: Received disconnect from 58.218.198.168 port 51533:11: [preauth] Jun 25 09:44:38 MMPC sshd[20951]: Disconnected from authenticating user root 58.218.198.168 port 51533 [preauth] Jun 25 09:45:01 MMPC sshd[20983]: Failed password for root from 58.218.198.168 port 53625 ssh2 Jun 25 09:45:01 MMPC sshd[20983]: Failed password for root from 58.218.198.168 port 53625 ssh2 Jun 25 09:45:01 MMPC sshd[20983]: Failed password for root from 58.218.198.168 port 53625 ssh2 Jun 25 09:45:02 MMPC sshd[20983]: Received disconnect from 58.218.198.168 port 53625:11: [preauth] Jun 25 09:45:02 MMPC sshd[20983]: Disconnected from authenticating user root 58.218.198.168 port 53625 [preauth] Jun 25 09:45:26 MMPC sshd[21042]: Failed password for root from 58.218.198.168 port 61755 ssh2 Jun 25 09:45:26 MMPC sshd[21042]: Failed password for root from 58.218.198.168 port 61755 ssh2 Jun 25 09:45:26 MMPC sshd[21042]: Failed password for root from 58.218.198.168 port 61755 ssh2 Jun 25 09:45:27 MMPC sshd[21042]: Received disconnect from 58.218.198.168 port 61755:11: [preauth] Jun 25 09:45:27 MMPC sshd[21042]: Disconnected from authenticating user root 58.218.198.168 port 61755 [preauth] Jun 25 09:45:50 MMPC sshd[21094]: Failed password for root from 58.218.198.168 port 61991 ssh2 Jun 25 09:45:50 MMPC sshd[21094]: Failed password for root from 58.218.198.168 port 61991 ssh2 Jun 25 09:45:50 MMPC sshd[21094]: Failed password for root from 58.218.198.168 port 61991 ssh2 Jun 25 09:45:50 MMPC sshd[21094]: Received disconnect from 58.218.198.168 port 61991:11: [preauth] Jun 25 09:45:50 MMPC sshd[21094]: Disconnected from authenticating user root 58.218.198.168 port 61991 [preauth] Jun 25 09:46:15 MMPC sshd[21131]: Failed password for root from 58.218.198.168 port 18562 ssh2 Jun 25 09:46:15 MMPC sshd[21131]: Failed password for root from 58.218.198.168 port 18562 ssh2 Jun 25 09:46:15 MMPC sshd[21131]: Failed password for root from 58.218.198.168 port 18562 ssh2 Jun 25 09:46:15 MMPC sshd[21131]: Received disconnect from 58.218.198.168 port 18562:11: [preauth] Jun 25 09:46:15 MMPC sshd[21131]: Disconnected from authenticating user root 58.218.198.168 port 18562 [preauth] Jun 25 09:46:40 MMPC sshd[21183]: Failed password for root from 58.218.198.168 port 33124 ssh2 Jun 25 09:46:41 MMPC sshd[21183]: Failed password for root from 58.218.198.168 port 33124 ssh2 Jun 25 09:46:41 MMPC sshd[21183]: Failed password for root from 58.218.198.168 port 33124 ssh2 Jun 25 09:46:41 MMPC sshd[21183]: Received disconnect from 58.218.198.168 port 33124:11: [preauth] Jun 25 09:46:41 MMPC sshd[21183]: Disconnected from authenticating user root 58.218.198.168 port 33124 [preauth] Jun 25 09:47:06 MMPC sshd[21224]: Failed password for root from 58.218.198.168 port 45894 ssh2 Jun 25 09:47:06 MMPC sshd[21224]: Failed password for root from 58.218.198.168 port 45894 ssh2 Jun 25 09:47:06 MMPC sshd[21224]: Failed password for root from 58.218.198.168 port 45894 ssh2 Jun 25 09:47:06 MMPC sshd[21224]: Received disconnect from 58.218.198.168 port 45894:11: [preauth] Jun 25 09:47:06 MMPC sshd[21224]: Disconnected from authenticating user root 58.218.198.168 port 45894 [preauth] I am getting a ton of these, has anybody setup a good docker to block these after, let's say 5 or 10 invalid logins? Thanks! Edited June 25, 2018 by m4f1050 Quote Link to comment
ken-ji Posted June 25, 2018 Share Posted June 25, 2018 First off shutdown your unRAID server, then reconfigure your router to not put the unRAID server on a DMZ ( or portforward the SSH port) Then there's no problem anymore But seriously - why is the unRAID server (or the SSH port) exposed to the internet at large?. 1 Quote Link to comment
pwm Posted June 25, 2018 Share Posted June 25, 2018 Any ssh server that is exposed should be configured to only support keys - never passwords. The first time the scan programs are requested to supply a key, they will instantly disconnect and go looking for a different server. And since internal machines can also be hacked and used as stepping stones to attack other machines, even internal ssh servers really should be configured to not allow password login. Never design a system with just shell protection - assume that every machine around you are hostile. Quote Link to comment
jbartlett Posted July 19, 2018 Share Posted July 19, 2018 To expand on what was mentioned above, never use standard ports on any home server, exposed or not, if you can help it. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.