Topic: Advice please ..

[ADG]

Dec 26 09:57:44 <server> sshd[2381]: Illegal user test from 203.70.28.26
Dec 26 09:57:48 <server> sshd[2381]: reverse mapping checking getaddrinfo for h26-203-70-28.seed.net.tw failed - POSSIBLE BREAKIN ATTEMPT!
Dec 26 09:57:48 <server> sshd[2381]: Failed password for illegal user test from 203.70.28.26 port 34612 ssh2

What's an "illegal user test"?

and is there anything I should be doing to ensure these aren't successful?

[pluggy]

Somebody has tried getting in using 'test' as a user.

Enable SSH for local networks only ?

[cc_skavenger]

This is the server telling you that someone from IP 203.70.28.26 tried logging into your server using the username test but they didn't get in because they didn't have the right password.  

You can change the ssh port to something different.  You can make ssh only available to the lan and have to vpn into the server before you could ssh into it...

Just a few ideas.

HTH

[ADG]

Thanks, there are many instances of this from numerous IP addresses, I have restricted ssh from the "local network" only, now I have to figure out how to make myself "local network" (as the server is elsewhere).

[Appesteijn]

You could add your ip-adres in the local-network list in the server-manager. Just use 255.255.255.255 to make sure it accepts only 1 ip.

[CharlieBrady]

Dec 26 09:57:44 <server> sshd[2381]: Illegal user test from 203.70.28.26
Dec 26 09:57:48 <server> sshd[2381]: reverse mapping checking getaddrinfo for h26-203-70-28.seed.net.tw failed - POSSIBLE BREAKIN ATTEMPT!
Dec 26 09:57:48 <server> sshd[2381]: Failed password for illegal user test from 203.70.28.26 port 34612 ssh2

What's an "illegal user test"?

It's a user which doesn't exist on the system. Most likely a skript kiddie found the ssh port open and tried to log in as test. Everybody has those (I also have attempts to log in as george, john, backup, account, etc).

and is there anything I should be doing to ensure these aren't successful?

Make sure that all your users have good strong passwords. The system already makes sure that all users must have a password set.

If you don't use ssh, disable it.

[ADG]

Appesteijn ...

I tried that but for some reason it didn't work ... will keep working on it though ....

[CharlieBrady]

You can make ssh only available to the lan and have to vpn into the server before you could ssh into it...

Which would only mean that they could try to guess passwords for pptp, rather than try to guess passwords for ssh. No real increase in security.

Better to disable password access for ssh, and use RSA/DSA keys for any ssh login. Crackers can then try to guess ssh usernames and passwords until the cows come home.

[ADG]

do you have a link to more information on that?


Bron

[smeghead]

.. my preference is to use an ADSL router in front of an SME box (NAT firewall on both!) and use the router portforwarding rules to lock down SSH to only those IP's I want to have access - SME box is set for public SSH access.

Of course you have updated your ssh & ssl with the latest security patches?!

[ldkeen]

What do you guys think about running ssh on a non-standard port ie 222. I'm just getting sick and tired of these ssh login attempts. I've also dropped the LoginGraceTime down to 30 secs from the default 10mins but I also think it would stop a lot of these attempts if the server wasn't listening on the standard port. I'm going to try it for a day and see if it cuts the traffic down a bit. Any opinions??

[tiwang]

You don't get any benefits by moving the port to another number - it is still open - lock it down with a ip-filter instead. If you are using a VPN connection lock this down also - generally lock it with ip-filters if you don't have a firewall/NAT router in front of it.
/regards tiwang

[ldkeen]

Hi Tiwang,
thanks for the reply

You don't get any benefits by moving the port to another number - it is still open

I was under the impression that most of these ssh login attempts are automated and that they mostly try the default port of 22. If the server was listening on a different port surely it would dramatically cut down these login attempts. You are probably right about ip-filters but this can be very complex and I was after a simple fix to cut down the majority of attempts. Thanks again
Lloyd

[Garfield]

I was under the impression that most of these ssh login attempts are automated and that they mostly try the default port of 22. If the server was listening on a different port surely it would dramatically cut down these login attempts.

Maybe, but a lot of people are simply using a port scanner to scan which ports are opened and then try to login / see what is running behind those ports. So simply moving the (any) service to another port alone is not good enough.

[raem]

ADG
re ssh private & public keys

> do you have a link to more information on that?

This very good HOWTO has all the answers you need
http://www.wellsi.com/sme/ssh/ssh.html