Control Web Panel

Security => CSF Firewall => Topic started by: urantian on March 09, 2024, 01:30:06 AM

Title: Still Get SSH Login Attempts with PW Auth Disabled
Post by: urantian on March 09, 2024, 01:30:06 AM

Greetings,

I have PasswordAuthentication disabled and PubkeyAuthentication enabled in my sshd_config file.  As expected, I can log in with a key file, but not with a password.

However, I continue to receive LFD alert emails of attempted password logins.  Fortunately, I have the number of attempts before blocking the IP set to 1:

"Mar  8 11:45:52 server sshd[21937]: Invalid user ubuntu from 113.194.225.168 port 35078"

When I attempt to log in with a password externally to my public IP, it fails as expected:
"No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)"

How are some hackers still able to reach the login prompt?

Thank you,

Michael

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: overseer on March 09, 2024, 03:05:03 AM

Change SSH to an alternate port and live in peace (I don't recommend 2222 as FritzFrog (https://www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-linux-servers-over-ssh-to-mine-monero/) scans for that.)
https://docs.rackspace.com/docs/change-the-ssh-port-in-centos-and-redhat (https://docs.rackspace.com/docs/change-the-ssh-port-in-centos-and-redhat)
(Don't forget to update your csf.conf to account for the alternate SSH port.)

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: urantian on March 09, 2024, 03:58:15 PM

I changed the port number for SSH long ago, and only recently disabled password authentication.  But, even with the port number changed, I don't see how they are reaching a login prompt if they find it.

Thank you,

Michael

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: overseer on March 09, 2024, 09:28:25 PM

You can also turn off LFD notifications for SSH attempts. Have you tuned your sshd_config to secure it (disable root login, reduce login grace time, reduce login attempts, etc.)?

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: urantian on March 10, 2024, 03:13:03 AM

I prefer to receive LFD notifications, to know what's going on.  I have "PermitRootLogin" set to "no", and the number of attempts set to "1" before blocking the IP.

However, I would like to know how hackers are still able to attempt a login at all, if I have PasswordAuthentication set to "no" and PubkeyAuthentication set to "yes".

Thank you,

Michael

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: Starburst on March 11, 2024, 03:56:24 PM

They are hitting your SSH port, just block that port in CSF.

Any whitelisted IP's will still be able to login.

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: urantian on March 11, 2024, 06:14:13 PM

I removed the SSH port number from the TCP_IN and TCP_OUT ports list in csf.conf, and confirmed I can still connect.  Hopefully, that will stop them.

Thank you,

Michael

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: Starburst on March 11, 2024, 11:49:24 PM

TCP_OUT doesn't matter.

Don't forget about UDP_IN, sometimes that will list port 22.

And TCP6_IN, if the server has IPv6 enabled.

Title: Re: Still Get SSH Login Attempts with PW Auth Disabled
Post by: urantian on March 13, 2024, 02:21:46 AM

Thank you.  I found a few other references.  So far, I haven't received any other alerts.