The SSH connections are coming from seemingly random IP addresses, rarely from the same one twice.
Is anyone else seeing such connection patterns?
The SSH connections are coming from seemingly random IP addresses, rarely from the same one twice.
Is anyone else seeing such connection patterns?
13 comments
What I did was take the IANA IPv4 address space list[1] and add firewall rules to drop packets to port 22 coming from /8's that I would never connect from. I'm in the US, so it made sense for me to drop connections from subnets assigned to RIPE, APNIC, etc. It didn't eliminate the problem, but it reduced the connection attempts considerably.
1. https://www.iana.org/assignments/ipv4-address-space/ipv4-add...
[1] - https://pypi.org/project/pyknock/
As a follow up, what is increased benefit (if any) if port 22 is only accessible by a certain IP address (e.g. my home address)?
So far I haven’t had any issues, fail2ban works, and it seems safe.
I do have my home IP added to the whitelist and others set to drop.
I was told in a networking class this is the second best way to protect ssh other than not running ssh.
Any thoughts on this setup as well? Maybe oversights that I’m not seeing?
Filtering ssh connections at firewall level helps, and certainly reduces log entries for port scans and can halt less sophisticated attackers, but it doesn't mitigate attack vectors like a DDoS or a well funded actor.
https://dev.to/lbonanomi/hello-worm-mapping-ssh-probes-with-...
[1]: https://www.digitalocean.com/community/tutorials/how-to-set-...
IMPORTANT: If you do setup totp, make sure your server is actually syncing its clock with NTP, because if there is a significant time-drift you might be locked out from accessing SSH remotely.
You'd still be advised to disable password-based auth and/or configure fail2ban, though.
[1] https://github.com/robertdavidgraham/masscan
https://www.w3.org/Daemon/User/Installation/PrivilegedPorts....
https://adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-ano...
Privileged ports is a measure to guarantee that daemon listening there was started with root privileges. Which is a useful guarantee on a shared server, less so on a single-purpose or personal server.
Plus, if you have an sshd started at boot, and already listening on a pre-defined high port, there is very little chance another program could bind to the same port, save crashing and racing the daemon.
Finally, in ssh protocol, server authenticates itself to the client, so even if by some trickery a bogus ssh server would bind to the same port, it will either need to access /etc/ssh/ssh_host_*_key, which are enforced to be root-readable only, or risk being trivially detected by a client comparing presented public key to that saved from last login in the ~/.ssh/known_hosts.
There are also some DPI firewalls, or just port-based firewall that can block ssh traffic on a non-standard port, but assuming we are talking about your own server, that should be easy to rectify too.
There's no harm in having connection attempts on your ssh port. Changing your port will not make you more secure against a dedicated attacker, and you just make things harder for yourself (and marginally less secure, for the reasons you mentioned) with no real benefit.
And like I mentioned in the other comment, just use SSH keys and disable password auth. It's not hard, and it's all it takes to thwart every bot that hits you on port 22. If you want to be more hardcore you can run fail2ban or firewall the port down to your country or whatever.
It's the equivalent of "I connect to my host via IP address instead of having DNS records because it'll be harder for them to find!".
You still paint camoflage on a tank.
I'm pretty sure you can't without recompiling the kernel, it's defined in the source in include/net/sock.h here: https://github.com/torvalds/linux/blob/master/include/net/so...
It stems from automated port scans sweeping IP ranges looking for vulnerable/exploitable systems.
A simple way to address it is to use something like fail2ban to ban repeat offenders. Blacklist services like abuseipdb.com may help further, but ban with caution.
Any server exposed on the internet will be probed constantly by botnets.
Sadly, that comes with having a public accessible server: people wanting to hack their way in.
Following best practices, I set my sshd_config to specify another listening port - not 22.
My log is now clear of failed attempts.