Precautions during SSH [duplicate]
Solution 1:
There was a similar problem that struck me after reading this question here on AskUbuntu and checking my VPS, only to see a bazillion of brute force attempts. That is when I decided to take action.
Now according to the question I linked to, if you would like to see failed login attempts on your machine over ssh (could be brute force attempts or anything), try typing this:
grep sshd.\*Failed /var/log/auth.log | less
If the output consists of multiple lines, that is many brute force attempts, especially if they have happened between short intervals, you might want to do the following pieces of action:
Change the ssh configuration file
To do this, open the file located at /etc/ssh/sshd_config with your favourite editor, like this vim /etc/ssh/sshd_config.
1. Try to move ssh from port 22: Now locate the line that reads:
# What ports, IPs and protocols we listen for
Port 22
and comment out Port 22, and use anyone you might like. Example:
# What ports, IPs and protocols we listen for
# Port 22
Port 28934
Please remember that ports below 1024 need special (root) permission. I do not know how this could interfere with it, but I am just saying.
2. Disable Root logins via ssh: Since the root username is predictable and provides complete access to your system, providing unfettered access to this account over SSH is unwise. Locate the line reading PermitRootLogin and set it to no.
PermitRootLogin no
3. Disable password authentication: Generate and use SSH keys to log into your system. Without passwords enabled, attackers will need to guess (or steal) your SSH private key in order to gain access to your server. Something that is very very difficult. Proceed to find the line that reads PasswordAuthentication and set it to no
PasswordAuthentication no
!WARNING! Before doing so, please consult this guide over here on how to set up certificate authentication.
NOTE: After you have made the changes use sudo /etc/init.d/ssh restart. To connect to another port via ssh use: ssh [email protected] -p <port_number>.
Setup a firewall
Please check out this guide on how to set up the extremely powerful and effective firewall, which is integrated into Linux, IPTables.
Setup scripts to help you with security
One that I use personally and quickly comes to mind is Fail2Ban. Fail2ban will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in /var/log/fail2ban.log. To install it: sudo apt-get install fail2ban
Check command history via ssh
There is a linux command, named history, which allows you to see which commands have been input up until that point. Try typing history in a terminal to get to see all commands up to that point. It could help if you were root.
To search for a particular command try: history | grep command-name
To list all commands after ssh: fc -l ssh
You can also edit commands using vi (haven't tried it vim, though I assume it works as well): fc -e vi
You can also delete the history: history -c
NOTE: If you are not a fan of the command history there is also a file in your home directory (cd ~), called .bash_history (if you are using bash) that you can cat to see all that has been typed in the bash shell.
Solution 2:
SSH is not fully secure in its default configuration.
If you provide a password to allow a remote user to connect via SSH to your computer, these rights need to be revoked to stop ongoing access.
Changing your password does NOT revoke these rights.