I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?
What I’ve done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.
Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?
Let us see, shall we?
ssh root@cyberwolfie.com ❯ cowsay Uh-oh _______ < Uh-oh > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || ||;)
That all sounds correct to me. The random port you’re seeing in the logs is a high port, often referred to as an ephemeral port, and it is common for source ports. All good there.
Ok, thanks - so if I understand correctly then, it is listening on port 22 as a default, and not accepting traffic on any port.
That brings of the question: wouldn’t I be better off changing the SSH-port? And is that so easy as to uncomment the
#Port 22line in the config file and changing the port number to something random, and saving that somewhere? Would I then be able to connect by runningssh myuser@mydomain.com:, or would I need to do anything else to successfully connect?You would need to specify the new port when using ssh (using the -p$PORT option). Just keep in mind that security through obscurity is not considered secure in itself. You could instead consider a service like fail2ban that automatically blocks connections from certain sources depending on your set parameters.
It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port
It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port
Fair point! I first thought that would be good, as it would discourage all those random connections. My guess is that they won’t bother spending 5 minutes on each server, and instead just move on to the next when they fail. But then I realized that I don’t really care about those anyway as they’re not getting anywhere with their root:mypassword login attempts.
Yes that’s the right way to block root login. An added filter you can use the ‘match’ config expression to filter logins even further.
If you’re on the open network, your connection will be heavily hit with login attempts. That is normal. But using another service like Fail2Ban will stop repeated hits to your host.
Ssh listens on port 22, as soon as a connection is made the host moves the connection to another port to free up 22 for other new connections.Btw: I wasn’t thinking clearly here. Out going connections won’t be using port 22, but the listening incoming port is always 22.Yes that’s the right way to block root login. An added filter you can use the ‘match’ config expression to filter logins even further.
Not sure what you meant about the ‘match’ config expressions here. Could you elaborate a bit further?
If you’re on the open network, your connection will be heavily hit with login attempts. That is normal. But using another service like Fail2Ban will stop repeated hits to your host.
Hehe, yeah, I’ve noticed… The reason I get a little anxious whether I did this correctly, is that 95% of the login attempts are to root, so I want to make sure it is disabled. I have set up Fail2Ban, but I am using default settings, which may be a bit laxer than they need?
I’ve also been advised and considered moving to ssh keys, but I have not gotten to that yet.
Ssh listens on port 22, as soon as a connection is made the host moves the connection to another port to free up 22 for other new connections.
Makes sense. One question that comes from this is: is it possible to disable that? I would never need two ssh-logins at the same time on my server. And the second question is what I asked above regarding whether I should change the port ssh listens to in order to reduce unwanted malicious login attempts?
Match blocks allow you to restrict who/what is allowed or not allowed to connect to the server. There is a large number of options to utilize. Put this near the bottom of sshd_config. There should be an example there.
Here are some more examples: https://stackoverflow.com/questions/10829712/sshd-with-multiple-match-sections-override-settings
Thanks - I’ll look more into that to see if I can make any rules that would make sense for my use case.
Did you restart the server after you made the config change?
Yes.
