On Sun, 05 Sep 2021 15:43:15 +0000, carriunix wrote:
> Using another interface, everything works fine.
Great that the problem is solved!
Maybe one word of caution:
I don't know what sshd_config looks like on Ubuntu, but I do know that
the root account usually is unusable on Ubuntu and administrative tasks
are done with sudo instead. On Slackware the root account is usable and
if you open up ssh on a public IP you should make sure that you have:
PermitRootLogin no
...in /etc/ssh/sshd_config
You should also make sure that all usable accounts use hard to guess
passwords if you allow ssh password login.
This is what my log files look like on a system which has ssh on port
2222 on a public IP address:
...
Sep 5 18:42:33 igor sshd[25577]: Failed password for root from
194.19.182.119 port 52974 ssh2
Sep 5 18:42:33 igor sshd[25577]: Received disconnect from
194.19.182.119: 11: Bye Bye [preauth]
Sep 5 18:44:51 igor sshd[25579]: Connection closed by 106.75.222.175
[preauth]
Sep 5 18:45:13 igor sshd[25581]: Invalid user chenmm from 210.104.28.71
Sep 5 18:45:13 igor sshd[25581]: input_userauth_request: invalid user
chenmm [preauth]
Sep 5 18:45:13 igor sshd[25581]: pam_unix(sshd:auth): check pass; user
unknown
Sep 5 18:45:13 igor sshd[25581]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.104.28.71
Sep 5 18:45:15 igor sshd[25581]: Failed password for invalid user chenmm
from 210.104.28.71 port 33658 ssh2
Sep 5 18:45:15 igor sshd[25581]: Received disconnect from
210.104.28.71:
11: Bye Bye [preauth]
Sep 5 18:51:16 igor sshd[25583]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.104.28.71
user=root
Sep 5 18:51:18 igor sshd[25583]: Failed password for root from
210.104.28.71 port 37942 ssh2
Sep 5 18:51:18 igor sshd[25583]: Received disconnect from
210.104.28.71:
11: Bye Bye [preauth]
Sep 5 18:56:54 igor sshd[25587]: Accepted publickey for henca from
192.168.17.2 port 63492 ssh2
Sep 5 18:56:54 igor sshd[25587]: pam_unix(sshd:session): session opened
for user henca by (uid=0)
...
I blacklist IP addresses which has made too many ssh attempts, that list
is 38976 different IP addresses which I route to /dev/null
Once I saw a Slackware machine with a weak root password being connected
to internet with a public IP address. It took about 30 minutes before
someone was able to login as root.
regards Henrik