Web lists-archives.com

Re: Undesired ssh login attempts




Reco wrote:

> You mean that all these connections originate from 197.159.128.171?
> "iptables -I INPUT -s 197.159.128.171/29 -j DROP" will take care of it.
> 

No this was just an example - they come from different IPs. Some days
nothing, some days it is nothing.

> While you're at it, write an abuse letter to Jonathan Lamptey - he? owns
> problematic IP range according to AFRINIC.
> 
> 
>> I think both are secure: for ssh no users with easy password allowed to
>> login
> 
> If you have password-enabled ssh with stock Ciphers, MACs, and Kex'es
> enabled, and your only protection is non-standard ssh port - then you
> are doing it wrong.
> 
> Set these to /etc/ssh/sshd_config, and watch all those script-kiddies
> cry as they won't be able to connect to you at all:
> 
> Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> MACs
>
hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx
> KexAlgorithms
> curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256
> 
> And forbid ssh password authentication. They've invented key-based
> authentication for cases like yours 15 years ago.
> 
> 

Thanks, this is a good advise I will investigate. In fact I have 2 ssh
servers - one for internal network and one for external. External is
allowed only for 3 users including me. When I upgraded to jessie or to
stretch I also updated the cipher rules, but I will double check.

>> and apache - no pages or stuff that would compromise.
> 
> As long as this apache serves static HTML only then you're probably safe
> indeed.

Ok thanks for that - I think it is true as it is local server and there is
nothing php - but just documentation.

thanks 

regards