Menu
What's new
By:
Filters Better Search

SSH brute force and hacking attempts

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

AndreiV

Very Senior Member
Seeing a very big increase in SSH login attempts caught in Turris Honeypot.

This IP has made 5000+ attempts today : 104.248.89.194

This session by 104.244.76.203 is more interesting as you'll see a string of 45 commands issued .

>> Honeypot session. <<
 
AndreiV said:
This session by 104.244.76.203 is more interesting as you'll see a string of 45 commands issued .
Click to expand...

Honeypot aside - exposed SSH ports should use certs vs user/pass, along with disabling rootlogin which applies to both OpenSSH and dropbear...
 
I have a similar problem recently. I am seeing increased SSH Brute Force Login attempts from different IPs.
192.168.50.2 is my internal PiVPN and Pi-Hole server. It is running on an Orange Pi setup.

This is a recent issue for me. I've been running this setup for over a year but only recently these attacks started to occur. The only change I can think of is moving from Asus DDNS to No-IP (ddns.net).

Anything I can do to prevent?
 

Attachments

  • AiProtection.jpg
    AiProtection.jpg
    56.9 KB · Views: 79
ColinTaylor said:
Change the port you're exposing to the internet to be a random and non-obvious number between 5001 to 32767.
Click to expand...
Is it possible to know which port is under attack?

Currently I've got SSH (22), Wireguard (51820), and VNC (5901) exposed.
 
ColinTaylor said:
Change the port you're exposing to the internet to be a random and non-obvious number between 5001 to 32767.
Click to expand...
I changed SSH port to 5022 and 22022 to try out. However I cannot SSH into my server using anything other than port 22.

SSH starts working as soon as I change back to 22.

Am I missing something?
 
ColinTaylor said:
Probably. You'll have to explain exactly what you're doing, what you're changing, how you're testing and from where (i.e. inside your LAN or outside).
Click to expand...
My bad about the brevity.

The purpose is for me to SSH into my server at home from outside of my home network. From my phone or work or elsewhere.

Inside my LAN, everything works because I don't need to port foward anyway. I can SSH directly to 192.168.50.2 which is my LAN IP of the server.

Currently, I forward port 22 so that I can SSH into my home server.

If I change port to anything other than 22, I cannot SSH into my server from outside of my home network.

Hope that clarified the issue.

To bring the talk back on topic, the real issue is that I'm getting SSH brute force attacks per AiProtection. Ultimately that's what I'm trying to resolve. My current setup works for everything I need it except for getting SSH brute force attacks.
 
So you leave the SSH server's port the same as it was, i.e. 22. Then you change the port forwarding rule on the router so that the external port is 22022 but the internal port (on 192.168.50.2) is still 22. Then, when connecting from outside your LAN you change your SSH client to use port 22022 instead of port 22.
 
rush_ad said:
To bring the talk back on topic, the real issue is that I'm getting SSH brute force attacks per AiProtection. Ultimately that's what I'm trying to resolve. My current setup works for everything I need it except for getting SSH brute force attacks.
Click to expand...

It's internet background noise - as long as your device is secure (certificates only is a very good step here).

on your server that you've port forwarded - fail2ban goes a long way towards quieting that noise, and you might consider using a firmware on that host - ufw is in most debian/ubuntu distro's (including the excellent Armbian for SBC's) and you can set ssh to limit, which is a brute force throttle mechanism...
 
rush_ad said:
I changed SSH port to 5022 and 22022 to try out. However I cannot SSH into my server using anything other than port 22.
Click to expand...

If you have mapped the ports (internet 5022, lan 22) and saved the host as a profile, that's where you are getting tripped on on the hairpin.

Save one profile for internet with the 5022, and a lan profile based on the host IP for port 22, and you should be good...

I'm using 22 (ssh) as an example for this thread, but it would apply to an mapping scenario, such as www, where one might have 8080 for internet, and 80 for internal (as many ISP's don't allow inbound http)
 
sfx2000 said:
It's internet background noise - as long as your device is secure (certificates only is a very good step here).

on your server that you've port forwarded - fail2ban goes a long way towards quieting that noise, and you might consider using a firmware on that host - ufw is in most debian/ubuntu distro's (including the excellent Armbian for SBC's) and you can set ssh to limit, which is a brute force throttle mechanism...
Click to expand...
So in your opinion, you suggest to use standard ports? SSH on 22, Wireguard on 51820, etc...?
 
rush_ad said:
May be you guys can help pros and cons of these two distinct suggestions.
Click to expand...
Nothing sfx said addresses the actual question you asked. If you want to change the question and ask about security and/or remote access I would suggest you disable remote SSH access completely and instead connect via a VPN server. But then I have no knowledge of your use case.
 
Last edited:
You must log in or register to reply here.

Similar threads

redhat27
Harvest IPs from SSH brute force protection
Replies
2
Views
2K
redhat27
redhat27
redhat27
SSH brute force protection question
Replies
14
Views
4K
RMerlin
RMerlin
8
Compromised Router with Hacked PPTP VPN User
Replies
6
Views
6K
Adamm
Adamm
J
Juglar Parental Control, with Anti-Gaming Periodic Speed Limiting
Replies
2
Views
2K
steelskinz
S
huotg01
Dropbear/ssh without remote password
Replies
13
Views
22K
Mikii
M
Similar threads
Thread starter Title Forum Replies Date
L&LD Don't ssh me! General Network Security 8
sfx2000 SSH cheat sheet General Network Security 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 595 (members: 20, guests: 575)
Top