Failed SSH root logins

[Kevin Heatwole]

I am seeing repeated attempts to ssh into root in my VMs:

Feb 03 10:26:01 vps02 sshd[10209]: Failed password for root from 223.99.60.48 port 49969 ssh2
Feb 03 10:26:01 vps02 sshd[10209]: maximum authentication attempts exceeded for root from 223.99.60.48 port 49969 ssh2 [preauth]
Feb 03 10:26:01 vps02 sshd[10209]: Disconnecting: Too many authentication failures [preauth]
Feb 03 10:26:01 vps02 sshd[10209]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.48  user=root
Feb 03 10:26:01 vps02 sshd[10209]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 03 10:26:02 vps02 sshd[10215]: Failed password for root from 223.99.60.48 port 62634 ssh2
Feb 03 10:26:02 vps02 sshd[10215]: pam_tally2(sshd:auth): Tally overflowed for user root
Feb 03 10:26:03 vps02 systemd[1]: Started OpenSSH per-connection server daemon (223.99.60.48:12857).
Feb 03 10:26:05 vps02 sshd[10215]: Failed password for root from 223.99.60.48 port 62634 ssh2
Feb 03 10:26:05 vps02 sshd[10226]: pam_tally2(sshd:auth): Tally overflowed for user root
Feb 03 10:26:05 vps02 sshd[10226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.48  user=root
Feb 03 10:26:05 vps02 sshd[10215]: pam_tally2(sshd:auth): Tally overflowed for user root
Feb 03 10:26:06 vps02 sshd[10226]: Failed password for root from 223.99.60.48 port 12857 ssh2
Feb 03 10:26:07 vps02 sshd[10215]: Failed password for root from 223.99.60.48 port 62634 ssh2
Feb 03 10:26:07 vps02 sshd[10226]: pam_tally2(sshd:auth): Tally overflowed for user root
Feb 03 10:26:08 vps02 sshd[10215]: pam_tally2(sshd:auth): Tally overflowed for user root
Feb 03 10:26:09 vps02 sshd[10226]: Failed password for root from 223.99.60.48 port 12857 ssh2
Feb 03 10:26:10 vps02 sshd[10215]: Failed password for root from 223.99.60.48 port 62634 ssh2
Feb 03 10:26:10 vps02 sshd[10215]: maximum authentication attempts exceeded for root from 223.99.60.48 port 62634 ssh2 [preauth]
Feb 03 10:26:10 vps02 sshd[10215]: Disconnecting: Too many authentication failures [preauth]
Feb 03 10:26:10 vps02 sshd[10215]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.48  user=root
Feb 03 10:26:10 vps02 sshd[10215]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 03 10:26:10 vps02 sshd[10226]: pam_tally2(sshd:auth): Tally overflowed for user root
Feb 03 10:26:11 vps02 systemd[1]: Started OpenSSH per-connection server daemon (223.99.60.48:25759).
Feb 03 10:26:13 vps02 sshd[10226]: Failed password for root from 223.99.60.48 port 12857 ssh2

These have been going on since I first started the VMs (in November). The rhost IPs are the same for a block of repeated failed logins during the day and then change to a different seemingly random IP.

My VMs aren't used for much now so I'm not too concerned, but when I do eventually deploy the CoreOS VMs into production, I would like to mitigate these connection attempts. I need ssh access to my VMs, but I don't want the service exposed to Chinese or Russian hackers.

Should I be running sshd on a different port (and the hackers not detect the alternate port)? Can I somehow whitelist my IPs (which my ISP will change every so often) but not respond to connections from these outside IPs? Or, can I blacklist an IP from connecting to my sshd server if it tries to login as root or with a password? I'd really like to fail these connection attempts as quickly as possible and maybe in a way that discourages the hacker from even continuing to see that my sshd server is accepting authentication requests from unknown outside IPs.

Any suggestions to secure my VMs even more that CoreOS does out of the box?

[Seán C. McCord]

CoreOS comes with iptables.  That's your primary tool in your defense against dark arts.  

Mischief wrapped sshguard for use in CoreOS here:  https://github.com/mischief/coreos-sshguard

I have further modified this to run from rkt:  https://github.com/CyCoreSystems/sshguard-rkt

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Seán C McCord

CyCore Systems, Inc

+1 888 240 0308

PGP/GPG: http://cycoresys.com/scm.asc

[Simon Westcott]

Personally, I'd run a dedicated bastion server and avoid exposing SSH (or any remote management interfaces) on production VMs to the Internet.

There's numerous methods to restrict access to bastions depending on your budget/risk appetite - VPN, IP whitelist, IP blacklist (fail2ban, sshguard), MFA. 

[Kevin Heatwole]

Thanks. I've installed sshguard and it seems to be working.