From owner-freebsd-questions@freebsd.org Wed Mar 7 16:56:21 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9209F3F2F8 for ; Wed, 7 Mar 2018 16:56:21 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5767B808B4 for ; Wed, 7 Mar 2018 16:56:20 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6458720FAC for ; Wed, 7 Mar 2018 11:56:20 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Wed, 07 Mar 2018 11:56:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=+yOeeK9jGx3nNZYoOtqO2VLDYPZRx DDri8xS2rC0RIk=; b=WZ1T/c+ew9DzrMat9XOlG3tHASCg7mwFNB5FtmmkHkiCd w1l0R2+bWHphImYLVvqkPSR2TZfPXsIIk765vadK4yQOFmdlcA9gJWcSJJ4GC+ym yvNgXe0bTtweKYYYFymhvi8bCi7Of3277KKrHrE3W1IYIEwVt8KQTLeZNQxKDYvr 6KV7831eCpJK7XBgiuIBi4bykdefqBIe11BN2igP39tw1MFlFRYYQ6Cz74rNhKEw QTtOLPUDs9nLLTiE9otE2DMUnsFwzZd4EEgzfREZ0hgMRmDe2FjvtZvPbp/4R9bN Ljob9A6gMr8ad8lgDDmpIFjxT8dOfOTfMw/MsqDUg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=+yOeeK 9jGx3nNZYoOtqO2VLDYPZRxDDri8xS2rC0RIk=; b=kBA1CzNkdoTcA6cP6+ufGf 94fWuy3kkyDF7tDtl6UWteQRy+yZkaj+b4nHWmz6rWAbndwukv7j2uqYLkMGLx8r hf2jlqhSQnest2Gzp0dGjrWexU9FWe3dtEvCgNTr7c/0hQb8zz3gdTrX9LML2i+7 xKsN1AZFZ4FtycsHntC27RP77OQkS8V2u1Qa7jxdYUZrf5aY93ziuA9yKzW13lvo XSF/Bae3PyYLVGj91DgX/B9p5fHhoc3yFfZIUCpdL5CpZti6yWoYpqbRqX7kVNN2 Pv9cLbO0V1vfMA+fuakmwcWHuyI+HedYSGrmdxVVmWznQXKWBUbuYikQgk4zkExw == X-ME-Sender: Received: from desktop.local (parsley.growveg.org [82.70.91.97]) by mail.messagingengine.com (Postfix) with ESMTPA id 0262E247A1 for ; Wed, 7 Mar 2018 11:56:19 -0500 (EST) Subject: Re: Increased abuse activity on my server To: freebsd-questions@freebsd.org References: <20180307071944.GA30971@ymer.bara1.se> From: tech-lists Message-ID: <45bb7ffb-c11e-6664-827e-7e2e6a31ad93@zyxst.net> Date: Wed, 7 Mar 2018 16:56:19 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180307071944.GA30971@ymer.bara1.se> Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 16:56:21 -0000 On 07/03/2018 07:19, User Hasse wrote: > Hello All > I belive I see an increased amount of abuse attempt on my server by several 100% > in the last couple of months. Anybody else noticed ? You'll get that especially if you run on the standard port. You need a layered approach. man 5 sshd_config. 1. put ssh on a non-standard port [but this won't stop some scanners scanning all ports until they get a ssh response] Make sshd log auth attempts to a file that gets cleared every week because you don't want to be DOSed by your log files filling up. Compress your logs daily. 2. if you can, allow only certain users in /etc/ssh/sshd_config via the AllowUsers statement. 3. if you can, wrap those sshd users to known ips using the same AllowUsers statement. Syntax is user@192.168.1.0/24 for example. I think, but am not sure, that you can have multiple statements for the same (and other) users. There's also AllowGroups if you want to group your ssh users. There's DenyUsers for logins like root you want to specifically protect. 4. make sshd listen on only one interface [because sshd by default listens to them all] 5. if you're dual-stack, make sshd either inet or inet6 [by default it'll listen on both] 6. make ssh access via public key only. I think (though I haven't tried) to make only certain logins able to log in with a (tunneled) password, and all others public key only. 7. RSA keys are becoming depreciated. I think ed25519 is the most modern. This is what I do, anyways. I'm sure you can fine tune this more. -- J.