Potential hijacked SSH session & SSH best practices
I'm freaking out a little bit at the moment. I am SSHing into a remote server that I have recently commissioned. I'm doing this as root. I have installed fail2ban and had a massive amount of banned IPs in the log.
The last time I logged in i noticed my terminal being really laggy then my internet connection went down. When I bought it back up after about 5 min i logged back into the server and did a 'who' and realised there were two root users logged in. I would have thought that if my connection terminated the process from the last session would have been stopped on the server?
The connection ended with a 'Write failed: Broken pipe' when i first got disconnected. I killed the bash session with the other root. I don't know much about ssh security however could sessions be hijacked? is there a way of checking this? I need to continue logging in via ssh what precautions should I take? If I was somehow going through a proxy to reach my server (like a man in the middle attack) could they hijack my ssh session?
Solution 1:
The root logins are probably dangling shell sessions that once were you. Your server is also probably getting dDOS'd with all the attempted logins hammering it.
Lock down SSH. Don't allow root login, and those requests that are trying to brute force this machine will fail immediately (taking far fewer resources). Log in as a normal user and elevate permissions via sudo
, a practice you should be doing anyways. Also restrict SSH login to a list of client IPs so that the unsavory machines can't even try to log in.
Use SSH keys instead of passwords for user login. They're easier to deal with, and can be password protected themselves in case you accidentally give a private key out to the wrong place (giving you time to replace them and invalidate the old one). As @EEAA mentioned in the comments, you must also disable password based authentication if you wish to restrict clients to using only keys instead of both passwords and keys.
If the mongol clans continue to batter your city wall, maybe move SSH to a different high port (under 1024, as @AustinBurke pointed out - so as to use a privileged port) instead of 22. This will reduce traffic on that port if this is a problem for you (and most bots aren't very graceful, so they'll only attempt on 22). It won't stop things from trying port 22 or even scanning your machine to see what port is listening on SSH, and in most cases is a needless inconvenience. But it may help.
Others might be able to provide more tips, but these are pretty generic security measures for a publicly facing SSH server.