Archive

Monthly Archives: January 2015

SSH may be installed on Ubuntu via the command line
sudo apt-get install openssh-server

The file /var/log/auth.log contains events related to SSH. Once SSH has been installed you will start to see lines like the ones below in the auth.log file indicating that someone from
outside is trying to break in.

Dec 29 13:44:14 xxx sshd[4075]: reverse mapping checking getaddrinfo for 67-208-39-157.neospire.net [67.208.39.157] failed – POSSIBLE BREAK-IN ATTEMPT!
Dec 29 13:44:14 xxx sshd[4075]: Invalid user admin from 67.208.39.157
Dec 29 13:44:14 xxx sshd[4075]: input_userauth_request: invalid user admin [preauth]
Dec 29 13:44:14 xxx sshd[4075]: Received disconnect from 67.208.39.157: 11: Bye Bye [preauth]
Dec 29 13:44:17 xxx sshd[4079]: reverse mapping checking getaddrinfo for 67-208-39-157.neospire.net [67.208.39.157] failed – POSSIBLE BREAK-IN ATTEMPT!
Dec 29 13:44:17 xxx sshd[4079]: Invalid user admin from 67.208.39.157
Dec 29 13:44:17 xxx sshd[4079]: input_userauth_request: invalid user admin [preauth]
Dec 29 13:44:17 xxx sshd[4079]: Received disconnect from 67.208.39.157: 11: Bye Bye [preauth]
Dec 29 13:44:20 xxx sshd[4081]: reverse mapping checking getaddrinfo for 67-208-39-157.neospire.net [67.208.39.157] failed – POSSIBLE BREAK-IN ATTEMPT!
Dec 29 13:44:20 xxx sshd[4081]: Invalid user admin from 67.208.39.157
Dec 29 13:44:20 xxx sshd[4081]: input_userauth_request: invalid user admin [preauth]
Dec 29 13:44:20 xxx sshd[4081]: Received disconnect from 67.208.39.157: 11: Bye Bye [preauth]
Dec 29 13:44:23 xxx sshd[4083]: reverse mapping checking getaddrinfo for 67-208-39-157.neospire.net [67.208.39.157] failed – POSSIBLE BREAK-IN ATTEMPT!
Dec 29 13:44:23 xxx sshd[4083]: Invalid user agata from 67.208.39.157
Dec 29 13:44:23 xxx sshd[4083]: input_userauth_request: invalid user agata [preauth]
Dec 29 13:44:23 xxx sshd[4083]: Received disconnect from 67.208.39.157: 11: Bye Bye [preauth]
Dec 29 13:44:30 xxx sshd[4085]: reverse mapping checking getaddrinfo for 67-208-39-157.neospire.net [67.208.39.157] failed – POSSIBLE BREAK-IN ATTEMPT!
Dec 29 13:44:30 xxx sshd[4085]: Invalid user arbab from 67.208.39.157
Dec 29 13:44:30 xxx sshd[4085]: input_userauth_request: invalid user arbab [preauth]
Dec 29 13:44:31 xxx sshd[4085]: Received disconnect from 67.208.39.157: 11: Bye Bye [preauth]
Dec 29 13:44:33 xxx sshd[4087]: reverse mapping checking getaddrinfo for 67-208-39-157.neospire.net [67.208.39.157] failed – POSSIBLE BREAK-IN ATTEMPT!

or these

Dec 29 13:48:00 xxx sshd[4180]: Connection closed by 103.41.124.58 [preauth]
Dec 29 13:48:12 xxx sshd[4182]: User root not allowed because account is locked
Dec 29 13:48:12 xxx sshd[4182]: input_userauth_request: invalid user root [preauth]
Dec 29 13:48:13 xxx sshd[4182]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:48:15 xxx sshd[4184]: User root not allowed because account is locked
Dec 29 13:48:15 xxx sshd[4184]: input_userauth_request: invalid user root [preauth]
Dec 29 13:48:17 xxx sshd[4184]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:48:19 xxx sshd[4186]: User root not allowed because account is locked
Dec 29 13:48:19 xxx sshd[4186]: input_userauth_request: invalid user root [preauth]
Dec 29 13:48:20 xxx sshd[4186]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:48:22 xxx sshd[4188]: User root not allowed because account is locked
Dec 29 13:48:22 xxx sshd[4188]: input_userauth_request: invalid user root [preauth]
Dec 29 13:48:23 xxx sshd[4188]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:48:44 xxx sshd[4190]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:49:05 xxx sshd[4192]: User root not allowed because account is locked
Dec 29 13:49:05 xxx sshd[4192]: input_userauth_request: invalid user root [preauth]
Dec 29 13:49:10 xxx sshd[4192]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:49:14 xxx sshd[4194]: User root not allowed because account is locked
Dec 29 13:49:14 xxx sshd[4194]: input_userauth_request: invalid user root [preauth]
Dec 29 13:49:16 xxx sshd[4194]: Received disconnect from 103.41.124.58: 11: [preauth]
Dec 29 13:49:23 xxx sshd[4196]: User root not allowed because account is locked

It is therefore very important to secure SSH by following the instructions at
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

I have listed the most common ways of improving security below. You can implement these by editing the ssh configuration file at /etc/ssh/sshd_config

1. Disable password authentication. Online attackers can guess passwords. It is safer to use SSH keys to authenticate a connection. Add this line to sshd_config
PasswordAuthentication no

2. Disable root login. If an attacker does break in to your system, the damage is reduced if he does not have root access. Add this line to sshd_config
PermitRootLogin no

3. Change the port on which ssh operates. The default port is 22 and attackers often only test this port when trying to break in. Add this line to sshd_config
Port xxxxx
where xxxxx is the chosen port number. If you do change the ssh port then clients trying to connect with your machine will need to know the correct port number and use it when asking for a connection. E.g. if 22222 is the chosen port then the connection is made by
ssh -p 22222 some_user@some_machine
Finally, in order to access your home network via SSH you will need to set up port forwarding for the new port on your modem or router.

Note: changing the SSH port on OSX is a less straightforward. Instructions for changing the SSH port on OSX are given at
http://serverfault.com/questions/18761/how-to-change-sshd-port-on-mac-os-x/67616#67616
In summary, edit the file
/System/Library/LaunchDaemons/ssh.plist
as follows to use the port 22222 say,

<key>Sockets</key>

<dict>

<key>Listeners</key>

<dict>

<key>SockServiceName</key>

<string>22222</string>

<key>SockFamily</key>

<string>IPv4</string>

<key>Bonjour</key>

<array>

<string>22222</string>

<string>sftp-ssh</string>

</array>

</dict>

</dict>

Then reload the file so that the new setting takes effect:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

4. Don’t use PAM authentication unless you understand it. PAM can override other security settings.

5. Use fail2ban or a similar third-party product to prevent an attacker making unlimited attempts to break in to your system. fail2ban takes appropriate action when it detects an abusive IP address. fail2ban can be installed from the terminal
sudo apt-get install fail2ban

After making changes to the sshd_config file and saving the changes, you apply the changes by restarting ssh with
sudo restart ssh.

Advertisements