tomatomonster
Posts: 4
Joined: Sun Sep 15, 2019 12:29 pm

Raspbian/SSH security

Fri Jan 17, 2020 5:05 pm

Hi guys,
I'm new to Raspbian and Linux in general and I have a quick question about opening SSH.
I'm using a PI 3b+ and Rasbian OS for a low power home gateway system.
I enabled SSH and followed the "https://www.raspberrypi.org/documentati ... ecurity.md" doc to secure it, reasonably well I hope.
Since then, however, I see a slew of weirdos mostly from Asia, with nothing better to do than try to hack in.
The /var/log/auth.log shows constant hits, all failed so far - yay.
Is this something to learn to live with?
Is there any way to hide port 22, besides changing it to something else?
Thanks

tpyo kingg
Posts: 837
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Raspbian/SSH security

Fri Jan 17, 2020 5:17 pm

Scanners will just as happily (and easily) scan other ports for your SSH service, not just the default port of 22. Anyone can rent a cluster for a few hours and scan each machine in the IPv4 universe for services, mapping out all the ports not just the defaults. Maybe turning off IPv4 and going IPv6-only might help.

Obviously it is required to change your default password before turning on SSH. Then the best practice is to set up SSH key-based authentication and turn off password authentication, at least for connection from outside the LAN. Many scanners are advanced enough to detect a SSH-keys-only service and give up immediately. If you are dealing with a very large number of machines to configure then SSH certificates might be an easier option than SSH keys for authentication.

bls
Posts: 778
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: Raspbian/SSH security

Fri Jan 17, 2020 6:33 pm

You could also install fail2ban, which can be configured to block probes after a single attempt. Install fail2ban (sudo apt install fail2ban). Then edit /etc/fail2ban/jail.local (or create it if it doesn't exist) and add:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.92.0/24      #change 192.168.92 to your LAN subnet
bantime  = 3h    # -1 = forever. Can use a number for seconds, 1d for one day, and 1w for one week (1 can be any digit, of course)
findtime = 600
#backend  = systemd
#syslog_backend = systemd

[sshd]
backend = systemd
bantime = 52w
findtime = 7200
maxretry = 1
enabled = true
Your configuration may need some tuning. This will block someone retrying multiple username/passwords, but won't stop the probes. It will also give you some satisfaction to see that huge listing of blocked turkeys with sudo iptables -L -v -n. :lol:

As @tpyo suggested, using SSH keys for authentication will also slow them down.

Curious that you are getting hit so hard. I have my external SSH port set up in the high range (router port forwards to 22 on the Pi), and I very rarely see any hits at all.
Pi tools:
Free your network from your router's DHCP/DNS and run it on a Pi:https://github.com/gitbls/ndm
Quickly and easily build customized-just-for-you SD Cards: https://github.com/gitbls/sdm
Easy strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

User avatar
rpdom
Posts: 17550
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspbian/SSH security

Fri Jan 17, 2020 6:55 pm

bls wrote:
Fri Jan 17, 2020 6:33 pm
Curious that you are getting hit so hard.
Indeed. I use denyhosts instead of fail2ban, but I have had ports 22 and 80 forwarded on my router for 15 years now to various machines (a Pi 2B for the last 6 years or so) and although quite a few have tried, none have ever got in. I usually get around 5-10 new IP addresses a day trying to get in via ssh, and lots on http. Denyhosts doesn't cover http, but my web site has strict rules about what is accessible from where and gives either a 403 or 404 to anything else.

I am however considering moving the public part of the web server to a VPS and closing off the ssh access as I can get in from almost anywhere via my VPN which doesn't require any port forwarding on the router.
Unreadable squiggle

bls
Posts: 778
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: Raspbian/SSH security

Fri Jan 17, 2020 7:43 pm

rpdom wrote:
Fri Jan 17, 2020 6:55 pm
bls wrote:
Fri Jan 17, 2020 6:33 pm
Curious that you are getting hit so hard.
Indeed. I use denyhosts instead of fail2ban
Thanks for mentioning denyhosts. Not saying that fail2ban isn't good, but I'm going to have a look at it, since I'm always on the hunt for solutions that improve my solutions :lol:
Pi tools:
Free your network from your router's DHCP/DNS and run it on a Pi:https://github.com/gitbls/ndm
Quickly and easily build customized-just-for-you SD Cards: https://github.com/gitbls/sdm
Easy strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

tomatomonster
Posts: 4
Joined: Sun Sep 15, 2019 12:29 pm

Re: Raspbian/SSH security

Fri Jan 17, 2020 9:16 pm

Thanks for your replies, I'll try to implement some of them. I figured I'll just go with a complex password for now, but key-based authentication might be worth the effort.
I'm currently using ufw but I'll give the other suggestions a shot as well.
Getting hit hard is relative. I am getting 10-30 different IPs in a day. It's a lot to me :)

Ernst
Posts: 1337
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: Raspbian/SSH security

Fri Jan 17, 2020 10:12 pm

tomatomonster wrote:
Fri Jan 17, 2020 9:16 pm
Getting hit hard is relative. I am getting 10-30 different IPs in a day. It's a lot to me :)
You are very lucky to have such a low number of breakin attempts.

At the moment I have had average 51.58333 attempts each day over the last 252 days.
The worst was this morning between 04:18:30 and 04:22:30 (CET) with 60 attempts over the tor network
As from December 24, 2019 there were 3672 breakin attempts.
The road to insanity is paved with static ip addresses

User avatar
DougieLawson
Posts: 39799
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Raspbian/SSH security

Fri Jan 17, 2020 10:56 pm

My network went offline while I was in Australia. Since it's been back online (from 5th Jan) I've blocked more than 860 unique IP addresses (with fail2ban).
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

User avatar
Paul Webster
Posts: 826
Joined: Sat Jul 30, 2011 4:49 am
Location: London, UK
Contact: Twitter

Re: Raspbian/SSH security

Sat Jan 18, 2020 7:55 am

You could also hide it a bit more by using "port knocking" but to do it you also need client side software that supports it.
Remember though, it is only adding a bit more obscurity.

https://wiki.archlinux.org/index.php/Port_knocking

bls
Posts: 778
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: Raspbian/SSH security

Sat Jan 18, 2020 3:02 pm

Paul Webster wrote:
Sat Jan 18, 2020 7:55 am
You could also hide it a bit more by using "port knocking" but to do it you also need client side software that supports it.
Remember though, it is only adding a bit more obscurity.

https://wiki.archlinux.org/index.php/Port_knocking
I had port knocking set up for a while. It works well, but I went back to using fail2ban. I found port knocking to be just a bit too annoying to use on a regular basis. That said, I liked it enough for a while to build a little script to simplify the iptables management for port knocking: https://github.com/gitbls/pktables
Pi tools:
Free your network from your router's DHCP/DNS and run it on a Pi:https://github.com/gitbls/ndm
Quickly and easily build customized-just-for-you SD Cards: https://github.com/gitbls/sdm
Easy strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

Return to “Raspberry Pi OS”