Author Topic: Still Get SSH Login Attempts with PW Auth Disabled (Read 2271 times)

urantian · « **on:** March 09, 2024, 01:30:06 AM »

Greetings,

I have PasswordAuthentication disabled and PubkeyAuthentication enabled in my sshd_config file. As expected, I can log in with a key file, but not with a password.

However, I continue to receive LFD alert emails of attempted password logins. Fortunately, I have the number of attempts before blocking the IP set to 1:

"Mar 8 11:45:52 server sshd[21937]: Invalid user ubuntu from 113.194.225.168 port 35078"

When I attempt to log in with a password externally to my public IP, it fails as expected:
"No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)"

How are some hackers still able to reach the login prompt?

Thank you,

Michael

overseer · « **Reply #1 on:** March 09, 2024, 03:05:03 AM »

Change SSH to an alternate port and live in peace (I don't recommend 2222 as FritzFrog scans for that.)
https://docs.rackspace.com/docs/change-the-ssh-port-in-centos-and-redhat
(Don't forget to update your csf.conf to account for the alternate SSH port.)

urantian · « **Reply #2 on:** March 09, 2024, 03:58:15 PM »

I changed the port number for SSH long ago, and only recently disabled password authentication. But, even with the port number changed, I don't see how they are reaching a login prompt if they find it.

Thank you,

Michael

overseer · « **Reply #3 on:** March 09, 2024, 09:28:25 PM »

You can also turn off LFD notifications for SSH attempts. Have you tuned your sshd_config to secure it (disable root login, reduce login grace time, reduce login attempts, etc.)?

urantian · « **Reply #4 on:** March 10, 2024, 03:13:03 AM »

I prefer to receive LFD notifications, to know what's going on. I have "PermitRootLogin" set to "no", and the number of attempts set to "1" before blocking the IP.

However, I would like to know how hackers are still able to attempt a login at all, if I have PasswordAuthentication set to "no" and PubkeyAuthentication set to "yes".

Thank you,

Michael

Starburst · « **Reply #5 on:** March 11, 2024, 03:56:24 PM »

They are hitting your SSH port, just block that port in CSF.

Any whitelisted IP's will still be able to login.

urantian · « **Reply #6 on:** March 11, 2024, 06:14:13 PM »

I removed the SSH port number from the TCP_IN and TCP_OUT ports list in csf.conf, and confirmed I can still connect. Hopefully, that will stop them.

Thank you,

Michael

Starburst · « **Reply #7 on:** March 11, 2024, 11:49:24 PM »

TCP_OUT doesn't matter.

Don't forget about UDP_IN, sometimes that will list port 22.

And TCP6_IN, if the server has IPv6 enabled.

urantian · « **Reply #8 on:** March 13, 2024, 02:21:46 AM »

Thank you. I found a few other references. So far, I haven't received any other alerts.

Control Web Panel

Author Topic: Still Get SSH Login Attempts with PW Auth Disabled (Read 2271 times)

Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled

Re: Still Get SSH Login Attempts with PW Auth Disabled