SSH is a network protocol for operating network services securely over an unsecured network but there is a word secure in the name, it doesn't mean it cannot be broken. Admins need to configure it securely.
If you are forced to provide ssh access globally, I would suggest to not use passwords as a login method. RSA keys are more secured way to login and it is hard to take unauthorized access of the server.
But if there is a case and you cannot use RSA keys as a login method, you should install fail2ban on your server. It protects you in certain ways to prevent unauthorized access.
If you are under impression that no body is trying to log into your server, you can try this on dummy server. Open 22 port for ssh login and check /var/log/auth.log or /var/log/secure after an hour or two, you will find uncountable number of ssh login requests. People are trying very hard from every point of the earth to get inside of your server.
Here is the way to secure your server, if your ssh login method is password.
1) Install fail2ban on your linux system.
apt install fail2ban or yum install fail2ban
2) Configure jail.local
nano /etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 7200 findtime = 900 maxretry = 5 [sshd] enabled = true service fail2ban restart
Now fail2ban is configured on your server. Now you want to know, is it working or not? Your concern is valid. Read following steps.
A) If you want to know number of jails you have created in fail2ban, here is the command. Check number of jails.
sudo fail2ban-client status
In above configuration, we created only one jail, so it will list only one jail i.e. 'sshd'.
B) Now you want to check, how many IPs have been blocked. It will show you total number of blocked IPs as well as the list of IPs which are in blocked status currently. Check status of current blocked IPs
sudo fail2ban-client status <jailname> sudo fail2ban-client status sshd
You gave bantime 7200 in your config, it means it will block an IP for 2 hours if failed login attempts are 5 or more. You can reduce failed number of login attempts and increase bantime depends on your requirement.
C) If you want to block an IP or a whole IP range manually, here is the command, Block ip or ip range manually.
sudo fail2ban-client -vvv set sshd banip 141.98.10.0/24 sudo fail2ban-client -vvv set sshd banip 222.141.207.246
First command will block an IP range from 141.98.10.0 to 141.98.10.255. It includes all 256 IPs. Second command blocks only one IP i.e. 222.141.207.246
D) If you think, nobody wants to log into your server as those files are useless for them, try below command. If you put just one blank file a.txt in your server and if people will get access of your server, they will write in the file that how many bitcoins they want or they will simply remove the file with other OS files which can be removed by your user.
Check all fail login attempts
cat /var/log/auth.log | grep rhost
SSH unauthorized access can be a biggest damage for you and your server. Do not take it lightly.
No comments:
Post a Comment