Oh my god!
I was looking in the logs of my VPS that I have rented and publicly available on Internet. Trying to solve some problems I have when opening SSH connections I can see that my Linux hosts where my webs are hosted, as this one, is being victim of brute force attack.
Apparently someone with an automatic tool is trying different combinations of users and passwords to gain access by SSH to my server.
/var/log/auth.log, being updated continually as the attacker is trying to guess the user and password
- Run OpenSSH on a non-standard port
- Create a user with a strange name to connect to this server and configure OpenSSH to only allow this user to connect
- Don't allow passwords to be used. We will use SSH keys to login in our server.
Create a user with a strange name in our VPS
root, once logged in the VPS:
$ useradd -m superbizarreuser -s /bin/bash -G sudo,www-data,wheel
Create SSH keys to login in my work computer
First, in my computer, used for my projects and from where I keep updated the VPS I will create a pair of public/private ssh keys. And copy the public key on my VPS (from now
ciges@hppro3300:~$ ssh-keygen -t rsa ciges@hppro3300:~$ ssh-copy-id email@example.com
(I use a computer called hppro3000 with the ciges user)
If everything was OK then I can login in the VPS using the keys
ciges@hppro3300:~$ ssh firstname.lastname@example.org
Secure OpenSSH daemon
In this example I am going to configure OpenSSH to:
- Use the port 12345
- Limit the connection to the user
superbizarreuserand only with SSH keys, no password is allowed.
To do this I have added the following lines to
Port 12345 # Only allow a special user AllowUsers superbizarreuser # Only allow authentication with SSH keys PasswordAuthentication no UsePAM no ChallengeResponseAuthentication no
and restart the server
systemctl stop sshd systemctl start sshd
Configure ssh to connect to the VPS with the new user and port
Then, in my work computer, to make the connection quick and easy I will configure the SSH connection to the server tech.ciges.net to use always the new port and user.
Adding the following lines in the
.ssh/config file under my user home.
Host tech.ciges.net User superbizarreuser Port 12345
Then I can open a SSH connection simply with
ciges@hppro3300:~$ ssh tech.ciges.net
I have still to open the firewall used in my computer (UFW) to allow using the new port
ufw allow out 12345
And be really careful to not loose the private key (it's the only way to connect to the server now).
- Deploying a DevOps playground at home with Debian Linux and VirtualBox
- Installing a firewall on a Linux host, quick and dirty, with UFW
- Protecting my public Linux host from brute force SSH attacks