Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: calisun on July 31, 2018, 08:30:08 PM
-
I have received an email from sme9admin that i have excessive SSH connections.
The email shows (attached) that the connections were Established.
My question is, how were they able to Establish a connection since I have Clear Passwords disabled?
Is there something else I need to do (besides disabling clear passwords) to prevent unauthorized SSh connections?
-
SSH Public-Private Keys
https://wiki.contribs.org/SSH_Public-Private_Keys (https://wiki.contribs.org/SSH_Public-Private_Keys)
But you've got bigger problems if they have established a connection. I would immediately change all passwords and start checking all logs for signs of compromise.
-
Please paste:
config show sshd
Definitely sure you only use ssh keys and not passwords ? Could the keys have been compromised at all?
Take a look at:
/var/log/secure
/var/log/sshd/current
What can you see in there?
It may be that they establish a connection that then gets failed (I think that is what happens) but the logs will tell you.
-
I have received an email from sme9admin that i have excessive SSH connections.
The email shows (attached) that the connections were Established.
sme9admin counts connections at the TCP level. When someone tries to auth against your SSH service, even if the auth failed, the TCP connection itself is established, and accounted by sme9admin. You shouldn't worry too much about that. Check in /var/log/sshd/current that no connection were successful and be done with it :-)
-
... we want to talk about when an email arrives every 5 minutes from the installation?!?! :D
-
... we want to talk about when an email arrives every 5 minutes from the installation?!?! :D
Que?
Go on then... if it is relevant here.
If it is an issue then raise a bug?
-
sme9admin counts connections at the TCP level...
And if it does that, it is just wasting your time.
If you don't want ssh TCP connections, don't enable it, or keep it private.
If you have ssh enabled, care about authentication failures, not about TCP connections. But the real threat is authentication successes, not failures ....
-
Any chance those connections are from legit processes (like affa) that uses ssh pub/priv keys?
-
Thank you all for a quick response
.... Check in /var/log/sshd/current that no connection were successful and be done with it :-)
You are correct, no connections were successful.
Quote from: Daniel B. on Yesterday at 03:13:47 AM
sme9admin counts connections at the TCP level...
And if it does that, it is just wasting your time.
Agreed, if no connectins were actually completed, that notice is just wasting our time
-
Charlie and Daniel are right, this process check for TCP state, not actual successful connection to the service.
Some bots could establish the connection and keep it for minutes without even trying to login. Hence this is false positives.
The contrib need some refresh...