I currently have my raspberry pi port forwarded for SSH connection, so i can access it at work.
Whilst looking at 'journalctl -xe' i have seen tons of failed SSH login requests.
I have changed my raspberry pi to key logins rather than password based. Is there anything else i can do to stop this guy from trying to break in? Or better security to stop him accessing it?
Dec 20 19:46:36 raspberrypi sshd[1929]: Received disconnect from 106.250.183.218 port 20371:11: Bye Bye [preauth]
Dec 20 19:46:36 raspberrypi sshd[1929]: Disconnected from 106.250.183.218 port 20371 [preauth]
Dec 20 19:47:58 raspberrypi sshd[1931]: Received disconnect from 221.194.47.245 port 37247:11: [preauth]
Dec 20 19:47:58 raspberrypi sshd[1931]: Disconnected from 221.194.47.245 port 37247 [preauth]
Dec 20 19:48:50 raspberrypi sshd[1934]: Did not receive identification string from 23.254.161.114 port 51435
Dec 20 19:50:15 raspberrypi sshd[1935]: Did not receive identification string from 195.154.60.109 port 64642
Dec 20 19:50:15 raspberrypi sshd[1936]: Invalid user user from 195.154.60.109 port 64943
Dec 20 19:50:15 raspberrypi sshd[1936]: input_userauth_request: invalid user user [preauth]
Dec 20 19:50:15 raspberrypi sshd[1936]: error: Received disconnect from 195.154.60.109 port 64943:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Dec 20 19:50:15 raspberrypi sshd[1936]: Disconnected from 195.154.60.109 port 64943 [preauth]
Dec 20 20:02:05 raspberrypi sshd[1997]: Did not receive identification string from 195.154.60.109 port 51264
Dec 20 20:02:06 raspberrypi sshd[1998]: Invalid user user from 195.154.60.109 port 51418
Dec 20 20:02:06 raspberrypi sshd[1998]: input_userauth_request: invalid user user [preauth]
Dec 20 20:02:06 raspberrypi sshd[1998]: error: Received disconnect from 195.154.60.109 port 51418:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Dec 20 20:02:06 raspberrypi sshd[1998]: Disconnected from 195.154.60.109 port 51418 [preauth]
Dec 20 20:02:31 raspberrypi sshd[2002]: Did not receive identification string from 91.227.47.234 port 53975
Dec 20 20:02:32 raspberrypi sshd[2003]: Invalid user user from 91.227.47.234 port 53982
Dec 20 20:02:32 raspberrypi sshd[2003]: input_userauth_request: invalid user user [preauth]
Dec 20 20:02:32 raspberrypi sshd[2003]: Received disconnect from 91.227.47.234 port 53982:11: Bye Bye [preauth]
Dec 20 20:02:32 raspberrypi sshd[2003]: Disconnected from 91.227.47.234 port 53982 [preauth]
Dec 20 20:03:05 raspberrypi sshd[2023]: Did not receive identification string from 103.79.142.58 port 50841
Dec 20 20:03:08 raspberrypi sshd[2024]: Invalid user user from 103.79.142.58 port 52943
Dec 20 20:03:08 raspberrypi sshd[2024]: input_userauth_request: invalid user user [preauth]
Dec 20 20:03:08 raspberrypi sshd[2024]: error: Received disconnect from 103.79.142.58 port 52943:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
You can also limit the number of attemps with fail2ban.
The default config is fine for ssh server.
sudo apt-get update
sudo apt-get install fail2ban
If you're not looking to disable password access to all accounts, disabling the root login via your sshd_config file (as mentioned by #ramrunner) would definitely cut down on the vast majority of SSH brute force attempts. Nevertheless, this can still leave your other login accounts vulnerable.
One way to mitigate this would be to configure iptables to only allow external SSH attempts from certain IP addresses or IP blocks. If your external work IP address does not change, you could configure iptables to block all external SSH attempts except from your work IP.
SSH brute force attacks can suck the resources from low powered servers with a minimal amount of processors (CPU) and memory (RAM). This could be the case with your raspberry pi.
We developed a solution named am-deny-hosts that helps to block these attacks. It downloads IP address black lists of known SSH attackers and adds them to the /etc/hosts.deny file.
It is released as an open source project on GitHub. You get a set of shell scripts that protects your raspberry PI without taking up a lot of time, CPU, or memory. Whats more we made it very simple to install.
This question might be better migrated to serverfault or security.stackexchange.
As #larsks said, these automated attacks are in vain if you have disabled password logins. Make sure you also have
PermitRootLogin no
in your sshd_config .If you don't want to limit it yourself from iptables as per #larsks link you can install fail2ban.
Finally i have found that running sshd on a non standard port helps with the automated scans too.
Related
Getting below issue while connecting Azure VM through VSCode but we are able to connect through Putty when we used .ppk file. Getting below error when we used both .ppk & .pem using ssh configin VSCode.
Error: Permission denied(Public key)
Below are the ssh logs:
root#VMWDEPOCEUS001:/var/log# tail -30 auth.log Oct 27 10:19:12 VMWDEPOCEUS001 sshd[3087]: Failed password for invalid user ssh user from 156.163.33.75 port 56425 ssh2 Oct 27 10:19:14 VMWDEPOCEUS001 sshd[3087]: Failed password for invalid user ssh user from 156.163.33.75 port 56425 ssh2 Oct 27 10:19:15 VMWDEPOCEUS001 sshd[3087]: Connection reset by invalid user ssh user 156.163.33.75 port 56425 [preauth] Oct 27 10:23:52 VMWDEPOCEUS001 sshd[3095]: Invalid user ssh user1 from 156.163.33.75 port 56590 Oct 27 10:23:57 VMWDEPOCEUS001 sshd[3095]: Failed none for invalid user ssh user1 from 156.163.33.75 port 56590 ssh2 Oct 27 10:24:00 VMWDEPOCEUS001 sshd[3095]: Failed password for invalid user ssh user1 from 156.163.33.75 port 56590 ssh2 Oct 27 10:24:04 VMWDEPOCEUS001 sshd[3095]: Failed password for invalid user ssh user1 from 156.163.33.75 port 56590 ssh2 Oct 27 10:24:05 VMWDEPOCEUS001 sshd[3095]: Connection reset by invalid user ssh user1 156.163.33.75 port 56590 [preauth] Oct 27 10:25:26 VMWDEPOCEUS001 sshd[3099]: Accepted password for user1 from 156.163.33.75 port 56649 ssh2 Oct 27 10:25:26 VMWDEPOCEUS001 sshd[3099]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Oct 27 10:25:26 VMWDEPOCEUS001 systemd-logind[1238]: New session 6 of user user1. Oct 27 10:25:28 VMWDEPOCEUS001 sshd[3167]: Accepted password for user1 from 156.163.33.75 port 56651 ssh2 Oct 27 10:25:28 VMWDEPOCEUS001 sshd[3167]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Oct 27 10:25:28 VMWDEPOCEUS001 systemd-logind[1238]: New session 7 of user user1. Oct 27 10:27:00 VMWDEPOCEUS001 sshd[3258]: Invalid user ssh user1 from 156.163.33.75 port 26689 Oct 27 10:27:14 VMWDEPOCEUS001 sshd[3258]: pam_unix(sshd:auth): check pass; user unknown Oct 27 10:27:14 VMWDEPOCEUS001 sshd[3258]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=156.163.33.75 Oct 27 10:27:16 VMWDEPOCEUS001 sshd[3258]: Failed password for invalid user ssh user1 from 156.163.33.75 port 26689 ssh2 Oct 27 10:27:30 VMWDEPOCEUS001 sshd[3258]: pam_unix(sshd:auth): check pass; user unknown Oct 27 10:27:33 VMWDEPOCEUS001 sshd[3258]: Failed password for invalid user ssh user1 from 156.163.33.75 port 26689 ssh2 Oct 27 10:27:47 VMWDEPOCEUS001 sshd[3258]: pam_unix(sshd:auth): check pass; user unknown Oct 27 10:27:49 VMWDEPOCEUS001 sshd[3258]: Failed password for invalid user ssh user1 from 156.163.33.75 port 26689 ssh2 Oct 27 10:27:49 VMWDEPOCEUS001 sshd[3258]: Connection reset by invalid user ssh user1 156.163.33.75 port 26689 [preauth] Oct 27 10:27:49 VMWDEPOCEUS001 sshd[3258]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=156.163.33.75 Oct 27 10:31:22 VMWDEPOCEUS001 sshd[3279]: Invalid user ssh user1 from 156.163.33.75 port 56826 Oct 27 10:31:34 VMWDEPOCEUS001 sshd[3279]: pam_unix(sshd:auth): check pass; user unknown Oct 27 10:31:34 VMWDEPOCEUS001 sshd[3279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=156.163.33.75 Oct 27 10:31:35 VMWDEPOCEUS001 sshd[3279]: Failed password for invalid user ssh user1 from 156.163.33.75 port 56826 ssh2 Oct 27 10:32:09 VMWDEPOCEUS001 sshd[3279]: pam_unix(sshd:auth): check pass; user unknown Oct 27 10:32:10 VMWDEPOCEUS001 sshd[3279]: Failed password for invalid user ssh user1 from 156.163.33.75 port 56826 ssh2
Expectation: Need to connect to Azure Ubuntu (18.04) VM using VSCode config file
I tried to reproduce the same in my environment SSH is connected to Azure Ubuntu (18.04) VM using VSCode successfully.
As per Docs Putty is not supported occurs an error. try to install OpenSSh client
Change your user as root:
sudo -s
Try to install ssh or if already install update it and enable your ssh and check whether your status is active like below
sudo apt-get install ssh
sudo apt-get update
systemctl enable ssh.service
systemctl status ssh.service
Generate a ssh key. Try to avoid ssh -i please use user#hostname while configure ssh host like below.
Check whether u have provided config file host, user and hostname are correct.
When I try to connect, I got the same error and ssh log like below.
To resolve this issue:
First try to change your password using sudo passwd root update the password and enable Password Authentication run sudo nano /etc/ssh/sshd_config it will open nano editor like below.
Once your nano editor change a filesystem permission of you scroll down place your cursor in # press insert insert type PermitRootlogin yes and pubkeyauthentication yes press escape &: x Enter
Restart the SSH service by following this command:
sudo systemctl reload sshd
And try to connect with ssh user#hostname it's work.
If still you are facing issue, please check in root ssh install and update check status is active lie above and in nano editor check
PasswordAuthentication
ChallengeResponseAuthentication
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
To know more in detail please refer this link:
SSH Failed Permission Denied by phoenixnap
Connect over SSH with Visual Studio Code
I am unable to restart my apache server to successfully install the SSL certificates.
I get the following error
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
I have tried several articles and the root cause seems to be the following
Mar 29 13:05:09 localhost.localdomain httpd\[1234546\]: (98)Address already in use: AH00072: make_sock: could not bind to address \[::\]:80
Mar 29 13:05:09 localhost.localdomain httpd\[1234546\]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
I am able to diagnose the issue and get the following output and is also attached. I am unable to proceed further. Can you please help ?
Server - AlmaLinux 8
Host - IONOS
Server version: Apache/2.4.37 (AlmaLinux)
-- Unit session-62994.scope has finished starting up.
-
-- Unit session-62994.scope has finished starting up.
-
-- The unit session-62994.scope has successfully entered the 'dead' state.
Mar 31 06:07:10 localhost.localdomain dhclient\[1326\]: XMT: Solicit on ens192, interval 110600ms.
Mar 31 06:07:10 localhost.localdomain dhclient\[1326\]: RCV: Advertise message on ens192 from fe80::250:56ff:fe8c:84c6.
Mar 31 06:07:10 localhost.localdomain dhclient\[1326\]: RCV: Advertise message on ens192 from fe80::250:56ff:fe9a:f13a.
Mar 31 06:07:30 localhost.localdomain sshd\[1297516\]: Invalid user sui from 167.99.68.65 port 48488
Mar 31 06:07:30 localhost.localdomain sshd\[1297516\]: pam_unix(sshd:auth): check pass; user unknown
Mar 31 06:07:30 localhost.localdomain sshd\[1297516\]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.99.68.65
Mar 31 06:07:32 localhost.localdomain sshd\[1297516\]: Failed password for invalid user sui from 167.99.68.65 port 48488 ssh2
Mar 31 06:07:34 localhost.localdomain sshd\[1297516\]: Received disconnect from 167.99.68.65 port 48488:11: Bye Bye \[preauth\]
Mar 31 06:07:34 localhost.localdomain sshd\[1297516\]: Disconnected from invalid user sui 167.99.68.65 port 48488 \[preauth\]
Mar 31 06:07:44 localhost.localdomain unix_chkpwd\[1297520\]: password check failed for user (root)
Mar 31 06:07:44 localhost.localdomain sshd\[1297518\]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.173.27 user=root
Mar 31 06:07:46 localhost.localdomain sshd\[1297518\]: Failed password for root from 61.177.173.27 port 58626 ssh2
Mar 31 06:07:46 localhost.localdomain unix_chkpwd\[1297521\]: password check failed for user (root)
\[root#localhost \~\]# ss --listening --tcp --numeric --processes
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:\* users:(("nginx",pid=1087,fd=10),("nginx",pid=1086,fd=10),("nginx",pid=1084,fd=10))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:\* users:(("sshd",pid=1335,fd=5))
LISTEN 0 128 0.0.0.0:443 0.0.0.0:\* users:(("nginx",pid=1087,fd=11),("nginx",pid=1086,fd=11),("nginx",pid=1084,fd=11))
LISTEN 0 128 \[::\]:22 \[::\]:\* users:(("sshd",pid=1335,fd=7))
LISTEN 0 80 \*:3306 *:* users:(("mysqld",pid=1098,fd=19))
Tried -
apachectl configtest - Result: syntax ok
setenforce 0
I have installed FreeBSD and need to run regularly reverse shell to establish and keep alive SSH connection to the client (no public IP). When running the ssh -R script from the terminal, it works as expected, but when I run it as a cron command, the connection is established and disconnected right after that.
Here is auth.log from the server:
Jan 26 08:50:00 sshd[9696]: Accepted publickey for XXXX from XXX.XXX.XXX.XXX port XXXXX ssh2: RSA SHA256: xxxxxxxxx
Jan 26 08:50:00 sshd[9696]: pam_unix(sshd:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:00 systemd: pam_unix(systemd-user:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:01 systemd-logind[458]: New session 107 of user XXXX.
Jan 26 08:50:01 sshd[9794]: Received disconnect from XXX.XXX.XXX.XXX port XXXXX:11: disconnected by user
Jan 26 08:50:01 sshd[9794]: Disconnected from user XXXX XXX.XXX.XXX.XXX port XXXXX
Jan 26 08:50:01 sshd[9696]: pam_unix(sshd:session): session closed for user XXXX
Jan 26 08:50:01 systemd-logind[458]: Session 107 logged out. Waiting for processes to exit.
Jan 26 08:50:01 systemd-logind[458]: Removed session 107.
Do you have an idea, what causes this behavior and how to fix it?
Solved - see posts above. Thanks
I want to send a file from my phone to my laptop. Both of them has bluetooth.
On the laptop I have archlinux. I have installed bluez-5.35-1 for bluetooth management.
After installing, I typed:
systemctl enable bluetooth.service
systemctl start bluetooth.service
Then, using bluetoothctl I started bluetooth by typing power on
Now, I can discover and pair the laptop from my phone.
I started the FTP server using:
systemctl --user start obex
On the phone, I tried to send a file, but I receive a message after a very short period file not sent.
In journalctl -f I can see the following logs:
Oct 04 18:01:16 laptop obexd[8058]: CONNECT(0x0), (null)(0xffffffff)
Oct 04 18:01:16 laptop obexd[8058]: CONNECT(0x0), (null)(0x0)
Oct 04 18:01:16 laptop obexd[8058]: PUT(0x2), (null)(0xffffffff)
Oct 04 18:01:16 laptop obexd[8058]: PUT(0x2), FORBIDDEN(0x43)
Oct 04 18:01:16 laptop obexd[8058]: DISCONNECT(0x1), (null)(0xffffffff)
Oct 04 18:01:16 laptop obexd[8058]: DISCONNECT(0x1), SUCCESS(0x20)
Oct 04 18:01:16 laptop obexd[8058]: disconnected: Transport got disconnected
I'm assuming that it's a permission issue since I can see that FORBIDDEN there. Where is the configuration file of obexd to see where it'll tries to save the file? I don't understand why bluez is so poor documented.
Anyone issued the same problems with bluetooth?
Starting obexd with the -a or --auto-accept option ("Automatically accept push requests") allows for pushing a file from the phone to the laptop.
This option skips the authorization request to the agent.
My background is mostly Windows programming in C and C++. Recently I've had the chance to work with some embedded Linux systems also, but I'm still new at this.
Right now I'm working on a utility for Openwrt that needs to react to network and system events that occur during normal operation.
I've been able to use Hotplug for some events, but others still elude me. I can parse the output of the system log using logread, but that seems primitive and hackish.
In particular I'd like to get a callback similar to what hotplug does for some of the 'kern.info kernel' and 'daemon.info' events. For example:
Mar 31 19:42:32 OpenWrt kern.info kernel: [ 369.540000] device wlan0 left promiscuous mode
Mar 31 19:42:32 OpenWrt kern.info kernel: [ 369.540000] br-lan: port 2(wlan0) entered disabled state
Mar 31 19:42:32 OpenWrt kern.info kernel: [ 369.730000] device wlan1 left promiscuous mode
Mar 31 19:42:32 OpenWrt kern.info kernel: [ 369.730000] br-lan: port 3(wlan1) entered disabled state
Mar 31 19:42:34 OpenWrt kern.info kernel: [ 371.360000] device wlan0 entered promiscuous mode
Mar 31 19:45:56 OpenWrt daemon.info hostapd: wlan0: STA 04:f7:e4:00:00:00 IEEE 802.11: authenticated
Mar 31 19:45:56 OpenWrt daemon.info hostapd: wlan0: STA 04:f7:e4:00:00:00 IEEE 802.11: associated (aid 1)
Mar 31 19:45:56 OpenWrt daemon.info hostapd: wlan0: STA 04:f7:e4:00:00:00 WPA: pairwise key handshake completed (WPA)
Mar 31 19:45:56 OpenWrt daemon.info hostapd: wlan0: STA 04:f7:e4:00:00:00 WPA: group key handshake completed (WPA)
Mar 31 19:45:56 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPREQUEST(br-lan) 10.1.1.51 04:f7:e4:00:00:00
Mar 31 19:45:56 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPNAK(br-lan) 10.1.1.51 04:f7:e4:00:00:00 wrong network
Mar 31 19:46:00 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPDISCOVER(br-lan) 04:f7:e4:00:00:00
Mar 31 19:46:00 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPOFFER(br-lan) 192.168.1.198 04:f7:e4:1c:09:00
Mar 31 19:46:00 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPDISCOVER(br-lan) 04:f7:e4:1c:09:00
Mar 31 19:46:00 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPOFFER(br-lan) 192.168.1.198 04:f7:e4:1c:09:00
Mar 31 19:46:01 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPREQUEST(br-lan) 192.168.1.198 04:f7:e4:1c:09:00
Mar 31 19:46:01 OpenWrt daemon.info dnsmasq-dhcp[5005]: DHCPACK(br-lan) 192.168.1.198 04:f7:e4:1c:09:00 My-iPhone
Log entries like the DHCPOFFER (as seen in your example) are generated individually by the corresponding process (for example, by udhcpc) using the Unix syslog mechanism (kind-of like the Windows Event Logging API)
By default on OpenWRT logging is handled by the syslogd process provided by the busybox package. This is fairly primitive and simply sends messages to the circular buffer you see using logread and/or to a UDP socket.
You can upgrade logging on OpenWRT to use the syslog-ng package. This has a much more advanced configuration and you should be able to use this to send filtered log events to a script that you can write to do what you need with them.
opkg install syslog-ng
syslog-ng is a GPL product but the documentation is now buried beneath a commercial web site, one would hope you can get it from the source code , via http://freecode.com/projects/syslog-ng. Note that OpenWRT seems to provide version 1.6.12 which I had trouble finding the documentation for when I implemented it on my OpenWRT devices, but eventually I found it via the wayback machine: https://web.archive.org/web/20070406054439/http://www.balabit.com/products/syslog_ng/reference-1.6/syslog-ng.html/x731.html (for example)
A configuration file fragment that would pull out those DHCP messages and send them to a standalone log file would look a bit like:
source src { unix-stream("/dev/log"); internal(); };
destination dhcp_messages { file("/var/log/dhcpmessages"); };
filter f_dhcp { match("dnsmasq-dhcp"); };
log {
source(src);
filter(f_dhcp);
destination(dhcp_messages);
};
You might probably find the pipe() or program() destination drivers the most useful for your application. For example, using a program() driver you could send selected messages to a shell script that parses them and saves them into a sqlite database.