Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: smeerbartje on October 22, 2008, 10:38:57 AM

Title: Two concurrent SSH connections
Post by: smeerbartje on October 22, 2008, 10:38:57 AM

Hi,

I have a SME server 7.3 installed with remote access allowed from the internet. I also have installed the contrib SME7ADMIN, which is great! However yesterday I received an "alert" which told me that two concurrent SSH connections were opened. Also have a look at the following screenshot. Now my question is: how can I see in the logfiles (which file??) what IP address did connect to the server via SSH?

(http://nijmegen.lommers.org/openVPN.jpg)

Title: Re: Two concurrent SSH connections
Post by: e[nt]e on October 22, 2008, 11:17:48 AM

In the server-manager "View log files" then choose sshd with the appropriate date or shhd/current if it was just yesterday. Then click the "Next" Button in the lower right corner.

JFYI: You will be shown the log files in /var/log/sshd/

Title: Re: Two concurrent SSH connections
Post by: Stefano on October 22, 2008, 11:50:24 AM

just remember that if a user opens 2 instances of a ssh client (for example putty), you've got 2 active connections..

Ciao
Stefano

Title: Re: Two concurrent SSH connections
Post by: smeerbartje on October 22, 2008, 11:55:58 AM

Quote from: nenonano on October 22, 2008, 11:50:24 AM

just remember that if a user opens 2 instances of a ssh client (for example putty), you've got 2 active connections..

Ciao
Stefano

Indeed, thanks for the replies. I found out it was myself :)

But a lot of people try to connect to my SSH deamon, just by entering random passwords. Is it possible to install a contrib or whatsoever to black a certain IP address for alll incoming traffic? I already found this page (http://wiki.contribs.org/Firewall#Block_incoming_IP_address), but I would appreciate a new tab in the server manager which enables me to manage blocked IP addresses.

Title: Re: Two concurrent SSH connections
Post by: Jáder on October 22, 2008, 12:30:49 PM

Hi
That should be another thread (or a search-before-thread)... anyways:
You could switch to key authentication to do login... do not use keys... so if root (and any other account) isn´t allowed to login using passwords, all those random passwords attacks will die at front door.

Search here and howto about how to change to key authentication on ssh.

Title: Re: Two concurrent SSH connections
Post by: Daniel B. on October 22, 2008, 12:49:59 PM

denyhosts is what you're looking for

Code: [Select]

yum --enablerepo=smecontribs install smeserver-denyhostsIt will block hosts which fails too many authentications on your ssh server.

Title: Re: Two concurrent SSH connections
Post by: Stefano on October 22, 2008, 12:56:40 PM

Hi..

if you wish to continue to use password for ssh auth, you could simply change ssh port

ciao
Stefano

P.S. this is not a security improvement, it simply reduce bots' attacks

Title: Re: Two concurrent SSH connections
Post by: smeerbartje on October 23, 2008, 01:51:17 PM

I just installed SSH Denyhosts and it's working great! Exactly what I want. I still have one question thouh. Is it possible to remove an ip-address from the blocked list?