Question:
how to secure SSH on my server ?
anonymous
2014-03-04 13:56:10 UTC
Hi There,

Thank you very much in advance as I’m getting tired of having the same issue again and again. I don’t want the security of my server to be compromised. It seems like my dedicated server keeps getting unusual login attempts from external sources. In my SSH logs ( I’m running Ubuntu and the path for my logs is /var/log/auth.log ), I keep getting : Authentication Failed from several external IPs (exact message is “Failed password for root from XX.XX.XX.XX”) . They’re trying to connect to the server through SSH using the root user. I made a couple of research, followed a couple of tips I was given but keep having the same issue over and over. Last thing I tried Is Fail2Ban but I ran in an issue. I blocked my own IP for 15 minutes at a critical moment of the day. It prevented me from doing important changes and affected my company a lot! Since this, I don’t use Fail2Ban anymore because I’m afraid that something similar might happen again.

Can anyone please help me securing my SSH with another option than Fail2Ban ?

Thanks so much in advance :)
Three answers:
anonymous
2014-03-06 13:38:49 UTC
Other than manually blocking IPs in your firewall, you could secure your SSH connection by following the steps found in this article. By “deactivating” root login, you can rest assured that the security will not be breached for the user “root”. You can also change the port of the SSH configuration to listen on a different port than 22, but you need to adjust your server accordingly. Let me know if that help you or if you need more assistance. I read an article about that on GloboTech Communications Blog. The article is named Securing a Linux server - Hardening SSH security. I put the link in the source section. Make sure not to lock you out of your server though.
?
2014-03-04 22:22:58 UTC
Do NOT use automated programs to block IP addresses, they often see a failed login due to timeouts or other Internet issues as an attack and block a required machine. This can stop customers seeing web sites, email connections, and as you found out your own admin.aLso it is not blocking the attackers machine as they use other people's infected machines to carry out the attacks. You need to make sure your sshd.conf file includes the allowrootlogin set to no. NEVER allow root access to ssh, as it is the one account that the system can not risk blocking for unusual activity. Always use an ordinary user to log in. Then su if you require root access, and only for as long as you are using it. You obviously have no experience running servers. On public servers I maintain I see as many as 2000 such attacks, often mixed with others, in ONE HOUR from one attack script. Often also there can be 4 or 5 such attacks in a day. EVERY machine on the Internet suffers these attempts as the scripts randomly choose a block of IP addresses and attack each in turn. Except for public servers it is not noticed as the router and machine firewalls just drop such attacks because they are not offering external port access. A public server can NOT do that as it needs to see which ports are requested. If root ssh is blocked, you should be more worried about validating public data entry by visitors to your site. There are tricks they can use to gain FULL access to your server just by entering a tiny piece of code into any data entry field.
ratter_of_the_shire
2014-03-06 00:56:35 UTC
What fred said. Disable root login, and don't have your user called something obvious like www or admin ....



Require keys for login. (two factor authentication), or you can link to a smartcard or gnuk.



And for the really paranoid you can setup a port knocking requirement before the ssh port will open.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...