- This topic has 10 replies, 8 voices, and was last updated Mar 10-8:19 pm by techore.
-
Posts
-
blur13
I noticed on my conky that there was slight disk/eth0 up down activity constantly. Checked htop and I saw that sshd: unknown [net] and sshd: [accepted] commands appearing around once per second and quickly disappearing. Googled this and did the following:
checked /var/log/auth.log
Mar 9 14:52:25 antix1 sshd[4624]: Invalid user debian from 146.56.144.31 port 33830
Mar 9 14:52:25 antix1 sshd[4624]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 14:52:25 antix1 sshd[4624]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.56.144.31
Mar 9 14:52:27 antix1 sshd[4624]: Failed password for invalid user debian from 146.56.144.31 port 33830 ssh2
Mar 9 14:52:29 antix1 sshd[4624]: Connection closed by invalid user debian 146.56.144.31 port 33830 [preauth]
Mar 9 14:52:30 antix1 sshd[4626]: Invalid user debian from 146.56.144.31 port 34642
.
.
.
etc etc for about 2000 linesAdded sshd: 146.56.144.31 to /etc/hosts.deny
so now I’m getting the following in /var/log/auth.log
Mar 9 15:05:49 antix1 sshd[3632]: refused connect from 146.56.144.31 (146.56.144.31)
Mar 9 15:05:54 antix1 sshd[3641]: refused connect from 146.56.144.31 (146.56.144.31)
Mar 9 15:06:00 antix1 sshd[3719]: refused connect from 146.56.144.31 (146.56.144.31)
Mar 9 15:06:05 antix1 sshd[3728]: refused connect from 146.56.144.31 (146.56.144.31)
Mar 9 15:06:11 antix1 sshd[3738]: refused connect from 146.56.144.31 (146.56.144.31)
Mar 9 15:06:17 antix1 sshd[3744]: refused connect from 146.56.144.31 (146.56.144.31)but its still consuming around 1% of CPU and some disk/eth0 activity.
sudo update-rc.d ssh remove
restart computer
Problem solved.
I guess my question is, is there any reason to have SSH running on a personal desktop computer that I never access remotely? Is running SSH a security threat? Was this actually a brute force attack?
Brian Masinick
If you never use a particular service I would at least disable it and possibly remove it altogether as long as it doesn’t also remove components that you do use.
What you did is very reasonable and if it quiets down undesirable network activities then your change did the job for you.
--
Brian MasinickRJP
https://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/
“Limit SSH User Logins
If you have a large number of user accounts on the systems, then it makes sense that we limit remote SSH access to those users who really need it. Open the /etc/ssh/sshd_config file.”
caprea
Maybe I’m wrong but it really sounds to me like these are login attempts via ssh and I would not feel relaxed with it.Presumably automated and whole IP ranges are tried through.It’s possible to make changes in the /etc/ssh/sshd_config to allow only certain users the login.
Edit: RJP already answered.- This reply was modified 2 months ago by caprea.
techore
I guess my question is, is there any reason to have SSH running on a personal desktop computer that I never access remotely? Is running SSH a security threat?
I use ssh to manage and maintain desktop and laptop computers, however, if you don’t need it ‘sudo apt remove openssh-server’. Rule of thumb, if you don’t need a listener/service, uninstall or disable. If you do need it, secure it by disabling root login and use keys versus passwords. Securing SSH, correctly, isn’t difficult but it’s a longer discussion.
Was this actually a brute force attack?
Based on the log, it appears that you were directly connected to the internet or on a public network. If true, someone may have identified your OS via fingerprinting as being Debian and was attempting to use the Debian default account and password. Not cool.
Robin
You can look up who is it:
https://whatismyipaddress.com/ip/146.56.144.31
It’s a static IP from a datacenter. Strange enough. It’s run by Oracle, so you can complain to them, they do have an abuse email address.But, if you have a dynamically IP yourself it might easily be possible the person simply wants to login to the machine connected before to the very IP, not actually to your PC. Observe: Does it stop when you get a fresh dynamic IP? If not, you might have caught something.
And then, the most interesting question:
WHY is the ssh service running at all on your antiX?
By default it is deactivated.
To check on antiX 22 (sysvinit):$ sudo service ssh status sshd is not running ... failed!To check on antiX 23 (runit):
sudo sv check ssh fail: sshd: unable to change to service directory: file does not existSomebody must have activated this service on your PC for some reason.
Check with the two commands
sudo netstat -plant
lsof -i
whether there are some more unknown or unexpected connections.these are login attempts via ssh and I would not feel relaxed with it
If directly connected to internet instead of via an internet router, it is quite common to see login attempts from everywhere. (If your router provide log files, you will see them there also constantly.) Only if you are behind a router, you never should see such a thing on your PC.
So then you have to make your system bullet proof, run a network-check (https://www.heise.de/security/dienste/Netzwerkcheck-2114.html). This check tests whether your system has any open doors, it has proven to be highly reliable for the last 20 years, it is provided by the Federal State Commissioner for Data Protection and Freedom of Information of Niedersachsen and the Heise publisher. Don’t know whether there are similar services besides this one in other countries.
Windows is like a submarine. Open a window and serious problems will start.
Xunzi_23
Hi all Heise Network check is no longer available. I think GRC Shields Up is still working.
Will check and report.Gibson Research Project is still online at https://www.grc.com/shieldsup
Checks and information provided on that site have been very useful over the years.
- This reply was modified 2 months ago by Xunzi_23.
blur13
Thanks everyone for your responses! Very insightful!
@Robin
For what its worth, ssh is running on all my systems, antix 19 and antix 22 (well, not anymore). I don’t recall actively selecting the service. Could it be another program that needs it? Maybe cloning with Git?
Heise Network check is no longer available
Ouch! That’s bad news. I had used it only last year, just as all the years before. Wasn’t aware they have closed it down since, sorry. Where has it gone all of a sudden? Yes, Gibson research shields up service is great too, you’ll need to perform a full port check there, mostly the same what the heise check had provided.
Could it be another program that needs it?
Possibly, but you should have been informed about its activation, and know whether you have set it up or not. Git doesn’t need it by default, as long you haven’t set it up this way.
Windows is like a submarine. Open a window and serious problems will start.
sybok
Hi, my electricity and antiX-powered PC at work used to have public IP (though it was generally discouraged) and I was strongly advised to
1) run ‘Fail2ban’ service,
2) block SSH root login.Fail2ban denies access to a remote user after few failed login attempts for a defined period of time.
It was suggested I disable blocking access from localhost, i.e. not to block accessing the PC in the office in case I lock the PC and forget about Caps Lock or keyboard switch and I surpass the threshold of failed login attempts.I inspected my log at the time and I found a large number of similar attempted connections.
IP’s, examined as @Robin suggested (though a different website was used for that purpose), were from various locations – France, China etc.
I wrote a script to “call” back with some funny user-names and passwords such as “YouNaugthyPerson” “WhyWereYouLoggingToHackingMyPc?”.Suggested reading:
https://en.wikipedia.org/wiki/Fail2ban
https://www.fail2ban.org/wiki/index.php/Main_Pagetechore
All good info.
I stated above to use keys not passwords. Here is a reference on how to setup keys. Once you have a working key, disable *all* passwords logins.
https://wiki.archlinux.org/title/SSH_keys
This method can be used with a local stored key file or a hardware key like yubikey.
- You must be logged in to reply to this topic.
