What type of hardware are you using: Old laptop or computer What YunoHost version are you running: 12.1.14 How are you able to access your server: The webadmin Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no
Describe your issue
Hello all.
For the past couple of weeks, YNH Diagnostics has been sending me an email telling me “…that there has been an unusually high number of logins recently…” My SSH port is not the standard number; I changed that a long time ago, and the port is closed and only accessible locally. I’m interested to know who or what is causing the high number of logins and try to stop them (if I can) I’m not afraid of using terminal, but can anyone give me some guidance on where I should look in Fail2ban.
For now I have disabled the ynh API, bit of a pain as I have to re-enable it to do admin. Rather that than get constant login attempts.
Under the hood, Yunohost uses journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 --since '1day ago' | grep 'authentication failure' to list the authentication failure, which doesn’t just include the SSH ones but possibly any auth attempt on the system … Running this command should give us more clue wether it’s from SSH or something else
@Aleks Many thanks for this. I shall give this a try next time I’m doing some admin. I will follow this up with a comment with the results. For now I have disabled the ynh API just in case it’s that.
Hmmmokay so the good news is that they are SSH authentication attempt apparently ? (and not something more worrysome)
The only odd thing is that you said you’re already using a custom port ? But well, I suppose bots are evolving and trying less standard ports … Would it be okay for you to use yet another different port ?
I tried to change my port number again to see if I could cut down in the high hits. I did the following:
sudo yunohost settings set security.ssh.ssh_port -v <new_ssh_port_number>
in terminal which returned the following:
SSH
Info: Saving the new configuration…
Success! Config updated as expected
If I exit and try to log back in again with:
ssh root@192.168.y.xxx -p new port number
It goes no where, but I can still get in with:
ssh root@192.168.y.xxx -p old port number
I can get in ok. The old port number is still showing on the GUI Firewall.
Did I miss something else.
A dumb question now… Sorry… If I use an SSH authentication key. I understand that it is created on the client machine, ie my laptop, and then copied to the server. What happens if I loose my laptop or it gets broken, whatever, how do I gain access to the server. The second step is to deactivate the password if using a key so I guess I could have a problem, or again have I missed something?
@Aleks No matter howmany times I tried to change the port number it wouldnt have it. In the diagnosis there was am Instruction to reset the config for ssh, whcih I did and tried again… Bingo!!! New port number working. Lets see how many knocks on the door I get this time.
I would like to use a an SSH authentication key but cncerned about how Iget access if the machine that generated the keys breaks down or gets lost.
