Author Topic: SSH being constantly probed  (Read 281 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
SSH being constantly probed
« on: September 09, 2020, 05:26:25 PM »
For the last 2 weeks, someone (apparently some bot automatically running) is trying to log into SSH with different ports, IPs and usernames.
Apart from the annoying emails every 5 minutes telling me an IP was blocked - is there anything I can do to block this guy?
I've reduced the wrong tries to get blocked to 2 and the period increased to 120 minutes.


Anything else you might advise?

Offline
**
Re: SSH being constantly probed
« Reply #1 on: September 09, 2020, 10:35:50 PM »
Normal activity.
2 attempts is a bit severe, though if you use login keys, as you should, then that's fine.
Don't block temporarily, block permanently!
Be sure to use IPset and maintain a fairly large blocklist - I usually have 800, in addition to csf.blocklists, country blocklists and AWS blocked.
Why bother to get sent emails, just set to no notification?

All easily done if you have the official CSF GUI available on your CWP installation.

Offline
**
Re: SSH being constantly probed
« Reply #2 on: September 10, 2020, 05:23:36 AM »
By official CSF GUI, do you refer to this screenshot?
https://pasteboard.co/Jqo5qgf.png


As to blocking it completely - then I wouldn't be able to login to FTP and SSH with my keys...
As to IPset, never heard of it. I'll check.

Offline
**
Re: SSH being constantly probed
« Reply #3 on: September 10, 2020, 08:37:55 AM »
By official CSF GUI, do you refer to this screenshot?
https://pasteboard.co/Jqo5qgf.png
No, that's one of a pair of crap CWP-derived interfaces. They used to supply the official GUI but removed it, instead of removing their own version(s). Fortunately, I saved a copy of the files from an older release.

As to blocking it completely - then I wouldn't be able to login to FTP and SSH with my keys...
As to IPset, never heard of it. I'll check.
Nope, you can exempt yourself from blocks. In any case only blocks for failed attempts.
Read https://download.configserver.com/csf/readme.txt and /etc/csf/csf.conf

Official GUI is shown here:
https://configserver.com/cp/csf.html
« Last Edit: September 10, 2020, 08:40:52 AM by cynique »

Offline
**
Re: SSH being constantly probed
« Reply #4 on: September 13, 2020, 06:11:59 AM »
Be sure to use IPset and maintain a fairly large blocklist - I usually have 800, in addition to csf.blocklists, country blocklists and AWS blocked.
I've installed and configured IPset 48 hours ago and still getting lots of notifications. :(

Offline
**
Re: SSH being constantly probed
« Reply #5 on: September 13, 2020, 08:54:44 AM »
Be sure to use IPset and maintain a fairly large blocklist - I usually have 800, in addition to csf.blocklists, country blocklists and AWS blocked.
I've installed and configured IPset 48 hours ago and still getting lots of notifications. :(
You don't appear to comprehend instructions too well.  :-\
On a silver plate, with matching cutlery..
Code: [Select]
LF_EMAIL_ALERT  = OFF
« Last Edit: September 13, 2020, 08:56:26 AM by cynique »

Offline
**
Re: SSH being constantly probed
« Reply #6 on: September 13, 2020, 09:28:24 AM »
Not getting alerts doesn't say SSH is not being attacked constantly.
On the contrary, I want to be aware of such, but am wondering if there's anything i can do to stop it.

Offline
**
Re: SSH being constantly probed
« Reply #7 on: September 13, 2020, 10:21:15 AM »
Change default port 22 and use key authentication.
LF_DISTATTACK = ON
LF_DISTATTACK_UNIQ = 2
Block certain countries, depending on your required 'market' eg. CN,TH,TW,RU,IL,BR,AG,SG,IN,PK,HK
(Still a lot from the USA though.)
Block AWS, Contabo, DO and GCloud.
Block all other lusers on your provider's LAN.
Other than that nearly nothing - it's a consequence of being on the 'net.

You could limit ssh access to a particular VPN but is of limited use, in terms of actual port scanning.

(My record for setting up a server and getting attacks, is 1400 failed logins, in the time it takes to do an apt update and change ssh to key authentication!)
« Last Edit: September 13, 2020, 10:24:34 AM by cynique »

Offline
**
Re: SSH being constantly probed
« Reply #8 on: September 13, 2020, 11:29:02 AM »
Here's an example of what you can add to your blocklists..
Code: [Select]
# Digital Ocean
DOCEAN|86400|0|https://asn.ipinfo.app/api/text/list/AS14061

# Contabo
CONTABO|86400|0|https://asn.ipinfo.app/api/text/list/51167
I have custom scripts to generate lists for AWS, GCloud (googleusercontent) and so-called research threats (eg. Shodan.io)