Hi all,
A slightly different general question about a ns with fail2ban active…
Would this response be expected?
C:\WINDOWS\system32> ssh root@192.168.1.25 root@192.168.1.25’s password:
Last failed login: Sat Jan 11 20:00:47 GMT 2020 from 222.186.173.183 on ssh:notty
There were 23181 failed login attempts since the last successful login.
Last login: Mon Dec 23 22:50:18 2019 from 192.168.1.24
************ Welcome to NethServer ************
This is a NethServer installation.
Before editing configuration files, be aware
of the automatic events and templates system.
http://docs.nethserver.org
[root@kayak ~]#
23181 failed login attempts within about 3 weeks seems a lot to me!
222.186.173.183 IP address has been reported as abusive (brute force attacks…)
Check fail2ban SSH jails are active.
Consider using a non-standard SSH port number (security through obscurity)
Connect through SSH with a non-root user
Use key based authentication
Disable password authentication
Disable root logins
…
Check fail2ban SSH jails are active - done
Consider using a non-standard SSH port number (security through obscurity) - not done
Connect through SSH with a non-root user - was logging on from within a small lan
Use key based authentication - done
Disable password authentication - done
Disable root logins - done
Obviously, this NS has been under quite severe attacks recently - yet it has been successful in defending itself!
Ah ha!
Many thanks for everyone’s help!
As advised, ticked the recidive box.
Changed the ssh on port 22 on both NS and lan’s router DNS table to a random unallocated port 2222.
Seems to work, as I now cant log in as follows:
C:\WINDOWS\system32> ssh root@192.168.1.25
ssh: connect to host 192.168.1.25 port 22: Connection refused
C:\WINDOWS\system32>
How do I give myself legitimate permissions to login on the lan as root on ssh port 2222 ?
C:\WINDOWS\system32> ssh root@192.168.1.25 -p 2222 root@192.168.1.25’s password:
Last failed login: Sat Jan 11 22:13:40 GMT 2020 from 218.92.0.168 on ssh:notty
There were 217 failed login attempts since the last successful login.
Last login: Sat Jan 11 20:02:37 2020 from 192.168.1.24
************ Welcome to NethServer ************
This is a NethServer installation.
Before editing configuration files, be aware
of the automatic events and templates system.
http://docs.nethserver.org
[root@kayak ~]#
ssh command in windows 10 command line now needs an additional switch of “-p 2222” specifying the port number - not including quote marks.
Fail2ban control sliders were left as default, so I expect it will take a little time for this banned ips to become permenantly banned!
Just as a further update - since my last post, there have been a grand total of 0 failed login attempts!
Many thanks to the community in helping me configure and better protect my NS installation.
As a thought experiment, would it seem sensible to have a new NS installation deliberately set up as mine was to be prone to attacks for perhaps 6 hours, collecting the fail2ban data, then switch the ssh port to something more obscure?
Maybe this would be akin to a biological organism being exposed to real-world germs in order to build-up it’s immunity system?! What I mean is, my NS now has the data it needs to auto ban the ips that were attacking it. Had my NS have been installed using an obscure ssh port number, it would not then have the data on which ips to permanently ban.
Perhaps nethserver.org could provide access to a dynamic database of ips that should be banned? My NS could volunteer quite a list of ips to that database!