How to make security more strong for venerable attacks?

Hi

I have had number ssh root login attempts from china’s ip to break in to yuno server.
I see this in auth.log

There are ip like these trying to login root.
122.195.189.84
58.218.205.72
58.218.205.68
58.218.204.241
182.100.67.112

How can I increase the security of the server ?

I’m not saying the security of the OS is bulletproof. But what you are seeing, everyone sees. The only way to stop those IPs is to disconnect from the internet. fail2ban (preconfigured) does a good job of stopping brute force attacks.

But you do have a few things you can do that yunohost doesn’t do by default.

  • change port ssh listens on
  • disable password logins (assuming you have enabled and configured key based logins)

change the ssh port
and use iptables rules.

terminal:
iptables -I INPUT -p tcp -s 80.80.80.80 --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -s 80.80.80.80 --dport smtp -j REJECT --reject-with tcp-reset
save the new rules:
iptables-save > /root/my.active.firewall.rules

you can cat /root/my.active.firewall.rules to check the rules

1 way:
create this line in crontab -e
@reboot sudo iptables-restore < /root/my.active.firewall.rules

use whois to check the range
and you can block like this using the inetnum
-A INPUT -s 80.80.80.1/255 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset

if you need to restore the iptables use this

iptables-restore < /root/my.active.firewall.rules

2 way:
(you can use other method if you prefer, to save rules
add a entry in /etc/rc.local )

install logwatch, works great can be a good troubleshooting tool for all the system!

you will receive a email everyday and you can check the badguys:)
and you can add the new rules to the iptables

delete a line in iptables

iptables -vnL INPUT --line-numbers

you will see the list of IPs. And have a number on the left,use this number to delete, like this:

iptables -D INPUT 10

using IP for delete the rule:
iptables -D INPUT -s 80.80.80.80 -j DROP

add this lines to:

block ssh
only local ssh

sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
sudo iptables -I INPUT -p tcp --dport XXXX -s 192.168.0.0/16 -j ACCEPT

Where is XXXX is your changed port of ssh

3 way:
(other method of saving rules,in case u hav no rules after a reboot)

sudo nano /etc/network/interfaces
iptables-restore < /root/my.active.firewall.rules

using @reboot firewall reload in the crontab this delete my rules

list the rules for th INPUT chain:

sudo iptables -L INPUT -v

save all the rules in txt file,because you can accidentally delete all the rules if you save and for some reason you havent restore the old rules,when using the command “iptables-restore” and “iptables-save”.
And check before if they exists using iptables -L -n
If you have them in the txt file, you can copy paste to terminal and no need to recreate all them again by hand.

i personal dont use fail2ban ,too much emails for my email box because i am a curious person and always doing “whois ip” all the days,and that stress me a little and grows my paranoid,but fail2ban works very well if you take a time learning and configuring.
i prefer the old way:)
you have to see what works with you!
hope it helps somebody!

i have this working using the 3 way.

sudo nano /etc/network/interfaces
i add this two lines(after iface line )
pre-up iptables-restore < /root/my.active.firewall.rules
/sbin/iptables-restore < /root/my.active.firewall.rules

and i have my rules always working.

i dont use fail2ban ,and i think the fail2ban will delete the iptables rules,but i never try both,so i dont know if they can work simultaneous…i have done apt-get purge fail2ban.
but i still use the yunohost firewall with iptables,works fine both.

now i rarely add more iptables rules,uff :slight_smile:
but my list is big…
now i have to learn how to block the mod_proxy.
have a proxytest.zmap.io:80 always trying to use my server…
i add the iptable lines for them but they change ip after…and again appears on logwatch mail next day.
anybody knows?
thks

I am using isset-blacklist by trick77 https://github.com/trick77/ipset-blacklist . Can anyone see the script if it goes well with Yunohost ?

Thanks