Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
sshd still allows login attempts
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jesnow
l33t
l33t


Joined: 26 Apr 2006
Posts: 674

PostPosted: Mon Nov 23, 2020 6:47 pm    Post subject: sshd still allows login attempts Reply with quote

Hi folks:

I apologize if this is a common question:

I have password logins disabled like so (/etc/sshd_config):

Code:

LoginGraceTime 3s
#LoginGraceTime 30s

PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
# PasswordAuthentication yes
PasswordAuthentication no

PermitEmptyPasswords no

# Change to no to disable s/key passwords
# ChallengeResponseAuthentication yes

# ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no


But I still get log entries like this:

Code:

Nov 23 12:35:56 merckx sshd[13251]: Received disconnect from 98.143.148.45 port 55464:11: Bye Bye [preauth]
Nov 23 12:35:56 merckx sshd[13251]: Disconnected from authenticating user root 98.143.148.45 port 55464 [preauth]
Nov 23 12:38:04 merckx sshd[13290]: Invalid user php from 5.88.141.217 port 49508
Nov 23 12:38:04 merckx sshd[13290]: Received disconnect from 5.88.141.217 port 49508:11: Bye Bye [preauth]
Nov 23 12:38:04 merckx sshd[13290]: Disconnected from invalid user php 5.88.141.217 port 49508 [preauth]
Nov 23 12:38:28 merckx sshd[13293]: Invalid user hadoop3 from 51.210.109.128 port 52554
Nov 23 12:38:28 merckx sshd[13293]: Received disconnect from 51.210.109.128 port 52554:11: Bye Bye [preauth]
Nov 23 12:38:28 merckx sshd[13293]: Disconnected from invalid user hadoop3 51.210.109.128 port 52554 [preauth]
Nov 23 12:39:34 merckx sshd[13306]: Invalid user odoo from 98.143.148.45 port 48778
Nov 23 12:39:34 merckx sshd[13306]: Received disconnect from 98.143.148.45 port 48778:11: Bye Bye [preauth]
Nov 23 12:39:34 merckx sshd[13306]: Disconnected from invalid user odoo 98.143.148.45 port 48778 [preauth]
Nov 23 12:41:06 merckx sshd[13310]: Received disconnect from 5.88.141.217 port 47158:11: Bye Bye [preauth]
Nov 23 12:41:06 merckx sshd[13310]: Disconnected from authenticating user root 5.88.141.217 port 47158 [preauth]
Nov 23 12:41:23 merckx sshd[13314]: Invalid user edu from 93.104.208.65 port 54334
Nov 23 12:41:23 merckx sshd[13314]: Received disconnect from 93.104.208.65 port 54334:11: Bye Bye [preauth]
Nov 23 12:41:23 merckx sshd[13314]: Disconnected from invalid user edu 93.104.208.65 port 54334 [preauth]


Granted, that's less noise from brute force attacks than I got before, but it's still surprising to me that anybody can even get a login prompt.

Why is this even possible?

Any insight gratefully accepted.

Jon.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3835
Location: Hamburg

PostPosted: Mon Nov 23, 2020 7:58 pm    Post subject: Reply with quote

Doesn't
Code:
 Bye Bye [preauth]
just means that sshd rejects a password login ?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46999
Location: 56N 3W

PostPosted: Mon Nov 23, 2020 8:09 pm    Post subject: Reply with quote

jesnow,

sshd will not leak information.
It will still do the complete password dance for an attacker even though it will fail.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1987

PostPosted: Mon Nov 23, 2020 11:36 pm    Post subject: Reply with quote

I'm not so sure about ssh not leaking data. I think I had a few old servers that would kick you out right after your keys didn't match.
Granted, those were fairly old servers and ssh may have been patched in the meantime. But, I wouldn't be surprised if this could still be overwritten with AuthenticationMethods in sshd_config.

So, jesnow, check out man sshd_config' and search for AuthenticationMethods for details. Seems simple eanough.

Also, you may be interested in fail2ban. Just make sure you don't accidentally lock yourself out. Other tricks that limit your exposure to brute-force are knockd (keep ssh port filtered and only open it for yourself with a sequence of packets when you want to connect ), and of-course limiting ssh to a vpn's interface.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2964
Location: Canada

PostPosted: Tue Nov 24, 2020 5:48 am    Post subject: Reply with quote

Do you actually get login prompt if you try to ssh from a user that does not have a key set ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum