[nmglug] ssh attacks

ABQLUG Events community at abqlug.com
Mon Aug 8 12:35:14 PDT 2022 

Hi Aaron,

I think the answer to your questions have been hammered away pretty 
well. But I wanted to give my 2¢.

Are the machines on-prem, in a datacenter, or on a cloud provider (such 
as Linode, DigitalOcean, Azure, or AWS)? Also, what distro and version 
are you using? Having those answers can help give more detailed advice.

Above all, the biggest take away should be to use a belt-and-suspenders 
approach. If any one approach has a flaw, you have other layers of 
protection to fall back on.

This is what I do on a Linode hosted Ubuntu VPS.

1) I set these in /etc/ssh/sshd_config

PermitRootLogin                  no
StrictModes                      yes
PubkeyAuthentication             yes
AuthorizedKeysFile               .ssh/authorized_keys
PasswordAuthentication           no
PermitEmptyPasswords             no
AuthenticationMethods            publickey

2) Before proceeding, establish a new ssh session, to make sure ssh 
still works.

3) I setup some Linode firewall rules to only allow my IP address to 
connect over port 22.

https://www.youtube.com/watch?v=H7wM5mDI1-k

4) Check ssh again. Then I use UFW to setup a firewall on the OS side, 
replace 1.2.3.4 with your IP address. Repeat firewall rules if you have 
multiple hosts to ssh from.

sudo ufw default deny incoming
sudo ufw allow proto tcp from 1.2.3.4 to any port 22
sudo ufw enable

5) Setup fail2ban (especially if you decide to not use any firewalls)

https://www.linode.com/docs/guides/how-to-use-fail2ban-for-ssh-brute-force-protection/

As Akkana mentioned, you really should also setup out-of-band "backdoor" 
is critical. Especially if the server isn't on-prem and easy to gain 
console level access. If the server hosted with a cloud provider, for 
example Linode, you can use their Lish Console through a web browser to 
gain console level access.

What I do with some servers at BigByte is setup an OpenVPN server that 
has a hole poked through the firewalls. You could also use something 
like TailScale if you haven't setup OpenVPN before.

And of course don't forget to use a strong and unique passphrase on all 
of your ssh keys. If you get tired of typing in ssh passphrases, you can 
setup a SSH agent (for example ssh-agent, Gnome Keyring, or KDE Wallet) 
to cache the passphrases up until you reboot.

I'm planning on doing a deep dive on using Google Authenticator to setup 
2FA on SSH. But I haven't gotten around to it...yet.

https://www.linode.com/docs/guides/how-to-use-one-time-passwords-for-two-factor-authentication-with-ssh-on-ubuntu/

Hope this helps!

~ Jared

On 8/8/22 10:01, Aaron Birenboim wrote:
> I've been getting constant ssh attacks, like several per minute.
> 
> Any suggestions?   I could change the port from 22, but I don't know if 
> that will do much.
> 
> There used to be some sort of sshd wrapper which could ban an IP after 
> failed attempts.  I think it was deprecated.   The attack IP changes, 
> but there often a few dozen attacks from the same IP. Again, some 
> help...  but not much.
> 
> I have password access disabled.  (You need to have a key to ssh in). 
> Anything else I should do?
> 
> aaron
> 
> 
> _______________________________________________
> nmglug mailing list
> nmglug at lists.nmglug.org
> http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
>

More information about the nmglug mailing list