Web lists-archives.com

Re: Undesired ssh login attempts




	Hi.

On Sun, Jun 10, 2018 at 12:55:24PM +0200, deloptes wrote:
> Hi,
> I recently get many of those, which means someone found out that ssh
> external is on port 22222 and is trying to do some evil work there.
> Should I worry or do something?
> Similar for apache web server.

You mean that all these connections originate from 197.159.128.171?
"iptables -I INPUT -s 197.159.128.171/29 -j DROP" will take care of it.

While you're at it, write an abuse letter to Jonathan Lamptey - he? owns
problematic IP range according to AFRINIC.


> I think both are secure: for ssh no users with easy password allowed to
> login

If you have password-enabled ssh with stock Ciphers, MACs, and Kex'es
enabled, and your only protection is non-standard ssh port - then you
are doing it wrong.

Set these to /etc/ssh/sshd_config, and watch all those script-kiddies
cry as they won't be able to connect to you at all:

Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx
KexAlgorithms curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256

And forbid ssh password authentication. They've invented key-based
authentication for cases like yours 15 years ago.


> and apache - no pages or stuff that would compromise.

As long as this apache serves static HTML only then you're probably safe
indeed.

Reco