Author Topic: Still Get SSH Login Attempts with PW Auth Disabled  (Read 2341 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Still Get SSH Login Attempts with PW Auth Disabled
« on: March 09, 2024, 01:30:06 AM »
Greetings,

I have PasswordAuthentication disabled and PubkeyAuthentication enabled in my sshd_config file.  As expected, I can log in with a key file, but not with a password.

However, I continue to receive LFD alert emails of attempted password logins.  Fortunately, I have the number of attempts before blocking the IP set to 1:

"Mar  8 11:45:52 server sshd[21937]: Invalid user ubuntu from 113.194.225.168 port 35078"

When I attempt to log in with a password externally to my public IP, it fails as expected:
"No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)"

How are some hackers still able to reach the login prompt?

Thank you,

Michael

Offline
*****
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #1 on: March 09, 2024, 03:05:03 AM »
Change SSH to an alternate port and live in peace (I don't recommend 2222 as FritzFrog scans for that.)
https://docs.rackspace.com/docs/change-the-ssh-port-in-centos-and-redhat
(Don't forget to update your csf.conf to account for the alternate SSH port.)

Offline
*
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #2 on: March 09, 2024, 03:58:15 PM »
I changed the port number for SSH long ago, and only recently disabled password authentication.  But, even with the port number changed, I don't see how they are reaching a login prompt if they find it.

Thank you,

Michael


Offline
*****
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #3 on: March 09, 2024, 09:28:25 PM »
You can also turn off LFD notifications for SSH attempts. Have you tuned your sshd_config to secure it (disable root login, reduce login grace time, reduce login attempts, etc.)?

Offline
*
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #4 on: March 10, 2024, 03:13:03 AM »
I prefer to receive LFD notifications, to know what's going on.  I have "PermitRootLogin" set to "no", and the number of attempts set to "1" before blocking the IP.

However, I would like to know how hackers are still able to attempt a login at all, if I have PasswordAuthentication set to "no" and PubkeyAuthentication set to "yes".

Thank you,

Michael

Offline
*****
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #5 on: March 11, 2024, 03:56:24 PM »
They are hitting your SSH port, just block that port in CSF.

Any whitelisted IP's will still be able to login.

Offline
*
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #6 on: March 11, 2024, 06:14:13 PM »
I removed the SSH port number from the TCP_IN and TCP_OUT ports list in csf.conf, and confirmed I can still connect.  Hopefully, that will stop them.

Thank you,

Michael

Offline
*****
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #7 on: March 11, 2024, 11:49:24 PM »
TCP_OUT doesn't matter.

Don't forget about UDP_IN, sometimes that will list port 22.

And TCP6_IN, if the server has IPv6 enabled.

Offline
*
Re: Still Get SSH Login Attempts with PW Auth Disabled
« Reply #8 on: March 13, 2024, 02:21:46 AM »
Thank you.  I found a few other references.  So far, I haven't received any other alerts.