Oh my god!
I was looking in the logs of my VPS that I have rented and publicly available on Internet. Trying to solve some problems I have when opening SSH connections I can see that my Linux hosts where my webs are hosted, as this one, is being victim of brute force attack.
Apparently someone with an automatic tool is trying different combinations of users and passwords to gain access by SSH to my server.
/var/log/auth.log, being updated continually as the attacker is trying to guess the user and passwordTo solve it, I am going to implement some of the recommendations of this post from RimuHosting
In particular
- Run OpenSSH on a non-standard port
- Create a user with a strange name to connect to this server and configure OpenSSH to only allow this user to connect
- Don't allow passwords to be used. We will use SSH keys to login in our server.
Create a user with a strange name in our VPS
As root, once logged in the VPS:
$ useradd -m superbizarreuser -s /bin/bash -G sudo,www-data,wheelCreate SSH keys to login in my work computer
First, in my computer, used for my projects and from where I keep updated the VPS I will create a pair of public/private ssh keys. And copy the public key on my VPS (from now tech.ciges.net)
ciges@hppro3300:~$ ssh-keygen -t rsa
ciges@hppro3300:~$ ssh-copy-id superbizarreuser@tech.ciges.net(I use a computer called hppro3000 with the ciges user)
If everything was OK then I can login in the VPS using the keys
ciges@hppro3300:~$ ssh superbizarreuser@tech.ciges.netSecure OpenSSH daemon
In this example I am going to configure OpenSSH to:
- Use the port 12345
- Limit the connection to the user
superbizarreuserand only with SSH keys, no password is allowed.
To do this I have added the following lines to /etc/ssh/sshd_config
Port 12345
# Only allow a special user
AllowUsers superbizarreuser
# Only allow authentication with SSH keys
PasswordAuthentication no
UsePAM no
ChallengeResponseAuthentication noand restart the server
systemctl stop sshd
systemctl start sshdConfigure ssh to connect to the VPS with the new user and port
Then, in my work computer, to make the connection quick and easy I will configure the SSH connection to the server tech.ciges.net to use always the new port and user.
Adding the following lines in the .ssh/config file under my user home.
Host tech.ciges.net
User superbizarreuser
Port 12345Then I can open a SSH connection simply with
ciges@hppro3300:~$ ssh tech.ciges.netI have still to open the firewall used in my computer (UFW) to allow using the new port
ufw allow out 12345And be really careful to not loose the private key (it's the only way to connect to the server now).
Done!
- Deploying a DevOps playground at home with Debian Linux and VirtualBox
- Installing a firewall on a Linux host, quick and dirty, with UFW
- Protecting my public Linux host from brute force SSH attacks