Re: [tor-relays] SSH login attempts
> Using an obscure port only prevents attempts being logged, nothing else. And if you’re going to use an alternate port, pick one under 1024. Make it so an attacker needs to be root before they replace your sshd process. If you take that approach, make sure you are using a hardware firewall blocking inbound connections to ports above 1024. Also SSH Keys, password auth disabled is enough - you don't even need to change your SSH port :D On Tue, Sep 4, 2018 at 8:44 AM Sean Brown wrote: > On Sep 4, 2018, at 8:40 AM, Natus wrote: > > > >> Use some tool like fail2ban and/or ssh key authentication. > > > > Also change the default port of your ssh endpoint (eg: ) > > > > > > > Using an obscure port only prevents attempts being logged, nothing else. > And if you’re going to use an alternate port, pick one under 1024. Make it > so an attacker needs to be root before they replace your sshd process. > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
Hello Marcus, On an ongoing basis, most of my relays get up to 4000 attempts each day. It's standard practice I guess! Many, many are from just a few IP addresses. The rest are just a few per IP address. Occasionally, I will go beyond the fail2ban "ban" and block an IP address in iptables via ufw. I then unblock that IP address in a week or two. I set fail2ban for long blocks maybe up to 12 hours (43000-seconds). So, harden your operating system as best you can. SSH works but disable the password entry, X11, etc. if possible. This is always safe if your provider has a dashboard for you to use as a secondary access to the server. I change my SSH port number but that only slows the professionals my minutes or seconds. Remember to change the fail2ban SSH port number if you do that. Your host provider should have DDoS protection for his/her entire plant. And don't sweat it! Learn from the experiences. On 9/4/2018 5:35 AM, Marcus Wahle wrote: Dear all, Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected? Best regards Marcus ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- One person's moral compass is another person's face in the dirt. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
On Tue, 4 Sep 2018 18:44:55 +0100 wrote: > Waste of time move SSH port? My fail2ban has hardly anything to do since > moving port some time back Yes, it is. And you might as well remove fail2ban altogether if you simply have key-based auth and disable passwords. -- With respect, Roman ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
Waste of time move SSH port? My fail2ban has hardly anything to do since moving port some time back. Very rarely does it see any attempts on my new odd number SSH port, but on port 22 the attacks were continuous. I agree in terms of security for a determined hacker moving port does nothing. Gerry -Original Message- From: tor-relays On Behalf Of Michael Brodhead Sent: 04 September 2018 18:36 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] SSH login attempts FWIW I found sshguard easier to deal with on FreeBSD than fail2ban. Turn off password logins and take good care of your ssh keys. Moving sshd to a different port is a waste of time but harmless if you’re the only administrator. —mkb > On Sep 4, 2018, at 5:35 AM, Marcus Wahle wrote: > > Dear all, > > Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login > attemps from different ips. > Is there anybody else affected? > > Best regards > Marcus > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
FWIW I found sshguard easier to deal with on FreeBSD than fail2ban. Turn off password logins and take good care of your ssh keys. Moving sshd to a different port is a waste of time but harmless if you’re the only administrator. —mkb > On Sep 4, 2018, at 5:35 AM, Marcus Wahle wrote: > > Dear all, > > Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login > attemps from different ips. > Is there anybody else affected? > > Best regards > Marcus > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
> On Sep 4, 2018, at 9:06 AM, Ralph Seichter wrote: > > On 04.09.2018 14:44, Sean Brown wrote: > >> Using an obscure port only prevents attempts being logged, nothing >> else. > > I cannot agree with that. What an sshd logs is not determined by the > port number it is listening on, and the quantity of failed login > attempts across my servers is measurably lower when using a non-standard > port. > Ya, my mistake, I wasn’t clear. I don’t mean that sshd doesn’t log if it’s on a different port, I mean that only the worst bots won’t find it, cutting down on the amount of noise in the logs. If ssh is configured correctly (disable password, 2fa, keys etc.) password attempts are just noise. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
On 04.09.2018 14:44, Sean Brown wrote: > Using an obscure port only prevents attempts being logged, nothing > else. I cannot agree with that. What an sshd logs is not determined by the port number it is listening on, and the quantity of failed login attempts across my servers is measurably lower when using a non-standard port. -Ralph ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
On 09/04/2018 03:41 PM, Marcus wrote: > Thanks Paul, > I use fai2ban, but this amount of failed logins is new to me. > Marcus The failed logins are business as usual. If the machine is on the net, then bots will find it no matter where it is or which port it listens on. But they usually move on after a while, too. While running fail2ban/sshguard helps, and changing the port helps slightly, the biggest change you can make if you haven't done it already is to use key-based authentication and turn off password based authentication, at least for the outward facing address(es) on your box. It seems that many bots can tell when the SSH daemon will not respond to passwords and move on without trying to actually log in. /Lars ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
On Sep 4, 2018, at 8:40 AM, Natus wrote: > >> Use some tool like fail2ban and/or ssh key authentication. > > Also change the default port of your ssh endpoint (eg: ) > > Using an obscure port only prevents attempts being logged, nothing else. And if you’re going to use an alternate port, pick one under 1024. Make it so an attacker needs to be root before they replace your sshd process. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
Marcus Wahle: > Since 14:00 my logs (middle node) are spamed with around 100 faild > ssh login attemps from different ips. Is there anybody else > affected? I'd say that is business as usual and not much to worry about if you use strong authentication -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
Thanks Paul, I use fai2ban, but this amount of failed logins is new to me. Marcus -- Mein öffentliches Zertifikat finden Sie unter: https://web.tresorit.com/l#tDLNPX-QlTRTcpMEqRRSng Am 04.09.2018 um 14:38 schrieb Paul Templeton : >> Since 14:00 my logs (middle node) are spamed with around 100 faild >> ssh login attemps from different ips. >> Is there anybody else affected? > Yes - it's constant 3-5 attempts per second - that's normal. > Use some tool like fail2ban and/or ssh key authentication. > > Paul > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
ssh key authentication. and an obscure port ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
> Use some tool like fail2ban and/or ssh key authentication. Also change the default port of your ssh endpoint (eg: ) -- regards, natus ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] SSH login attempts
> Since 14:00 my logs (middle node) are spamed with around 100 faild > ssh login attemps from different ips. > Is there anybody else affected? Yes - it's constant 3-5 attempts per second - that's normal. Use some tool like fail2ban and/or ssh key authentication. Paul ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] SSH login attempts
Dear all, Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected? Best regards Marcus ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays