Web lists-archives.com

Re: Undesired ssh login attempts

On 10-06-18, Reco wrote:
> 	Hi.
> On Sun, Jun 10, 2018 at 12:55:24PM +0200, deloptes wrote:
> > Hi,
> > I recently get many of those, which means someone found out that ssh
> > external is on port 22222 and is trying to do some evil work there.
> > Should I worry or do something?
> > Similar for apache web server.
> You mean that all these connections originate from
> "iptables -I INPUT -s -j DROP" will take care of it.
> While you're at it, write an abuse letter to Jonathan Lamptey - he? owns
> problematic IP range according to AFRINIC.

While that will certainly solve that problematic IP address, best
practice would be to have some limit per IP address set in your firewall
rules. In case of using iptables something like this should work:

iptables I INPUT -p tcp --dport 2222 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 2222 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP

That will limit to 3 attempts per minute per IP address for port 2222 which you use for SSH. If you use ufw for firewall, it would be simpler:

ufw limit 2222/tcp
> > I think both are secure: for ssh no users with easy password allowed to
> > login
> If you have password-enabled ssh with stock Ciphers, MACs, and Kex'es
> enabled, and your only protection is non-standard ssh port - then you
> are doing it wrong.
> Set these to /etc/ssh/sshd_config, and watch all those script-kiddies
> cry as they won't be able to connect to you at all:
> Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx
> KexAlgorithms curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256
> And forbid ssh password authentication. They've invented key-based
> authentication for cases like yours 15 years ago.

Aye, key-based authentication is definitely way to go. Password
authentication is bad for your health.