From FVue
Jump to: navigation, search

See also

Where to install ssh-agent?
A search for the right place on my system to install ssh-agent



Self-Encrypting Disks pose Self-Decrypting Risks
Investigation of hardware-based full disk encryption (FDE) drives (2012)


1 Day after allowing ssh I can see brute-force login attempts in /var/log/messages:

May  2 22:17:16 mybox sshd[24451]: Did not receive identification string from
May  2 22:17:43 mybox sshd[24454]: Invalid user postgres from
May  2 22:17:46 mybox sshd[24456]: Invalid user accept from
May  2 22:17:48 mybox sshd[24458]: Invalid user leo from
May  2 22:17:51 mybox sshd[24460]: Invalid user zeppelin from
May  2 22:17:53 mybox sshd[24462]: Invalid user hacker from
May  2 22:17:56 mybox sshd[24464]: Invalid user olga from
May  2 22:17:59 mybox sshd[24466]: Invalid user boris from
May  2 22:18:01 mybox sshd[24468]: Invalid user mathew from
May  2 22:18:04 mybox sshd[24475]: Invalid user testing from
May  2 22:18:06 mybox sshd[24477]: Invalid user galaxy from
May  2 22:18:11 mybox sshd[24481]: Invalid user venice from

Installed chkrootkit and rkhunter.

Rkhunter gives me this warning:

* Check: SSH
   Searching for sshd_config...
   Found /etc/ssh/sshd_config
   Checking for allowed root login... Watch out Root login possible. Possible risk!
    Hint: See logfile for more information about this issue
   Checking for allowed protocols...                          [ Warning (SSH v1 allowed) ]


Fail2ban should hold some of the fix brute force attacks by modifying firewall rules on the fly.

Used page rootkit warnings - they serious? - to secure my ssh (/etc/ssh/sshd_config). Also changed port to a less obvious one:

PermitRootLogin no
Port xx  # Don't forget to open this port in firewall
Protocol 2

Tips to Secure Linux Workstation | Ayman Hourieh's Blog:


Looking for sshd AllowUser/DenyUser, the message SecurityFocus Secure Shell: Re: AllowUser/DenyUser: directs me to pam


Whitedust: Recent SSH Brute-Force Attacks


SSH: Pluggable Authentication Module (PAM) Submethod


SuSE Help | SUSE Linux Documentation (en) | Reference (en) | System | Authentication with PAM



It seems I can restrict SSH access on multiple places: firewall, sshd, pam, lids on my box and the firewall on my router.

||||+-filesystem-+||||      +--firewall--+        _---------_
|||||+----------+|||||      |+----------+|       (           )
||||||  mybox   ++++++------++ myrouter ++------(   INTERNET  )
|||||+----------+|||||      |+----------+|       (_         _)
||||+------------+||||      +------------+         ---------

From PenguinSecurity dot Net - SSH User Identities:

"The goal of using Identity/Pubkey authentication is to remove the need for static passwords. Instead of providing a password, which could be captured by a keystroke logger or witnessed as you type it, you have a key pair on your disk that you use to authenticate. Your account on the SSH server has a list of Identities/Pubkeys that it trusts, and if you can prove you have the public and private key then you are granted access without supplying a password."

How do I disable keyboard authentication?

From man sshd_config:

Specifies whether password authentication is allowed. The default is “yes”.

I can still login by keyboard... The answer is in this thread Google Groups: - openssh-2.5.2p2 takes passwords with PasswordAuthentican no?


Reset /etc/sshd_config:

#X11Forwarding no

See also: Where to install ssh-agent?


blog comments powered by Disqus