Page 1 of 1

Raspbian/SSH security

Posted: Fri Jan 17, 2020 5:05 pm
by tomatomonster
Hi guys,
I'm new to Raspbian and Linux in general and I have a quick question about opening SSH.
I'm using a PI 3b+ and Rasbian OS for a low power home gateway system.
I enabled SSH and followed the "https://www.raspberrypi.org/documentati ... ecurity.md" doc to secure it, reasonably well I hope.
Since then, however, I see a slew of weirdos mostly from Asia, with nothing better to do than try to hack in.
The /var/log/auth.log shows constant hits, all failed so far - yay.
Is this something to learn to live with?
Is there any way to hide port 22, besides changing it to something else?
Thanks

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 5:17 pm
by tpyo kingg
Scanners will just as happily (and easily) scan other ports for your SSH service, not just the default port of 22. Anyone can rent a cluster for a few hours and scan each machine in the IPv4 universe for services, mapping out all the ports not just the defaults. Maybe turning off IPv4 and going IPv6-only might help.

Obviously it is required to change your default password before turning on SSH. Then the best practice is to set up SSH key-based authentication and turn off password authentication, at least for connection from outside the LAN. Many scanners are advanced enough to detect a SSH-keys-only service and give up immediately. If you are dealing with a very large number of machines to configure then SSH certificates might be an easier option than SSH keys for authentication.

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 6:33 pm
by bls
You could also install fail2ban, which can be configured to block probes after a single attempt. Install fail2ban (sudo apt install fail2ban). Then edit /etc/fail2ban/jail.local (or create it if it doesn't exist) and add:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.92.0/24      #change 192.168.92 to your LAN subnet
bantime  = 3h    # -1 = forever. Can use a number for seconds, 1d for one day, and 1w for one week (1 can be any digit, of course)
findtime = 600
#backend  = systemd
#syslog_backend = systemd

[sshd]
backend = systemd
bantime = 52w
findtime = 7200
maxretry = 1
enabled = true
Your configuration may need some tuning. This will block someone retrying multiple username/passwords, but won't stop the probes. It will also give you some satisfaction to see that huge listing of blocked turkeys with sudo iptables -L -v -n. :lol:

As @tpyo suggested, using SSH keys for authentication will also slow them down.

Curious that you are getting hit so hard. I have my external SSH port set up in the high range (router port forwards to 22 on the Pi), and I very rarely see any hits at all.

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 6:55 pm
by rpdom
bls wrote:
Fri Jan 17, 2020 6:33 pm
Curious that you are getting hit so hard.
Indeed. I use denyhosts instead of fail2ban, but I have had ports 22 and 80 forwarded on my router for 15 years now to various machines (a Pi 2B for the last 6 years or so) and although quite a few have tried, none have ever got in. I usually get around 5-10 new IP addresses a day trying to get in via ssh, and lots on http. Denyhosts doesn't cover http, but my web site has strict rules about what is accessible from where and gives either a 403 or 404 to anything else.

I am however considering moving the public part of the web server to a VPS and closing off the ssh access as I can get in from almost anywhere via my VPN which doesn't require any port forwarding on the router.

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 7:43 pm
by bls
rpdom wrote:
Fri Jan 17, 2020 6:55 pm
bls wrote:
Fri Jan 17, 2020 6:33 pm
Curious that you are getting hit so hard.
Indeed. I use denyhosts instead of fail2ban
Thanks for mentioning denyhosts. Not saying that fail2ban isn't good, but I'm going to have a look at it, since I'm always on the hunt for solutions that improve my solutions :lol:

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 9:16 pm
by tomatomonster
Thanks for your replies, I'll try to implement some of them. I figured I'll just go with a complex password for now, but key-based authentication might be worth the effort.
I'm currently using ufw but I'll give the other suggestions a shot as well.
Getting hit hard is relative. I am getting 10-30 different IPs in a day. It's a lot to me :)

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 10:12 pm
by Ernst
tomatomonster wrote:
Fri Jan 17, 2020 9:16 pm
Getting hit hard is relative. I am getting 10-30 different IPs in a day. It's a lot to me :)
You are very lucky to have such a low number of breakin attempts.

At the moment I have had average 51.58333 attempts each day over the last 252 days.
The worst was this morning between 04:18:30 and 04:22:30 (CET) with 60 attempts over the tor network
As from December 24, 2019 there were 3672 breakin attempts.

Re: Raspbian/SSH security

Posted: Fri Jan 17, 2020 10:56 pm
by DougieLawson
My network went offline while I was in Australia. Since it's been back online (from 5th Jan) I've blocked more than 860 unique IP addresses (with fail2ban).

Re: Raspbian/SSH security

Posted: Sat Jan 18, 2020 7:55 am
by Paul Webster
You could also hide it a bit more by using "port knocking" but to do it you also need client side software that supports it.
Remember though, it is only adding a bit more obscurity.

https://wiki.archlinux.org/index.php/Port_knocking

Re: Raspbian/SSH security

Posted: Sat Jan 18, 2020 3:02 pm
by bls
Paul Webster wrote:
Sat Jan 18, 2020 7:55 am
You could also hide it a bit more by using "port knocking" but to do it you also need client side software that supports it.
Remember though, it is only adding a bit more obscurity.

https://wiki.archlinux.org/index.php/Port_knocking
I had port knocking set up for a while. It works well, but I went back to using fail2ban. I found port knocking to be just a bit too annoying to use on a regular basis. That said, I liked it enough for a while to build a little script to simplify the iptables management for port knocking: https://github.com/gitbls/pktables