My YunoHost server
Hardware: VPS bought online / Old laptop or computer / Raspberry Pi (specify version, 0 to 4) at home / Internet Cube with VPN / Other ARM board / …
YunoHost version: 220.127.116.11 (testing)
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | …
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no /
If yes, please explain:
Description of my issue
This week I will be ‘celebrating’ a full year using yunohost for everything, 4 websites, 2 Nexclouds, piwigo, and email. It has been brilliant, it has never let me down, yet, any problems that I have had have been my own doing, so thanks to all the folk involved in this project. 95% of my online stuff is self-hosted. Very pleased.
So moving on. Every week I clear out old backups on my USB drive to make room for more and while I’m at it I run a diagnosis just to make sure all is well. Today I ran one and got the following:
There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.
I have read Security | Yunohost Documentation and since I started I have had another port for SSH, it was one of the first things I did to change that port number! So I’m wondering if there is anything else I can check. I know my way around my server quite well I think, but Fail2Ban scares me a bit.
Is there anything I should be looking for and where, or is this just flagging up that I have had a lot of hits on,y server recently and shouldn’t be too concerned? I don’t know… I did have this about 6 months ago and it stopped.
Many thanks for any help or guidance with this matter
Best wishes to all
sudo yunohost service status fail2ban
description: Protects against brute-force and other kinds of attacks from the Internet
last_state_change: 2022-12-11 20:53:52
Ii did a
nano /var/log/auth.log file
MASSIVE log file… lots of banned attempts…
Finally. Not sure about this one…
sudo fail2ban-client status JAIL
The part about replacing “JAIL with…” Maybe I’m misunderstanding.
if I do
sudo fail2ban-client status myhostname
I get that the myhostname doesn’t exist.
What should i be replacing JAIL with?
Many thanks for your help
Replace JAIL by
sshd for the jailed SSH attempts,
yunohost for a lot of things.
There should be something with
nginxtoo. You can list the jail by using
sudo fail2ban-client status.
If you only want to display the SSH failed attempts, you can do something like
sudo grep "invalid" /var/log/auth.log.
And if you just want to list the IP :
grep "invalid" /var/log/auth.log* | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq | sort -n
This little script I made could also interest you => [GeoIP] [Fail2Ban] Bannir les tentatives de connexions par mod_proxy ou par SSH
@kit Many thanks for your help. I am going to have a look at this again later. I know that fail2ban is working because if I make an error with the password on any of my apps I get locked out for 5 minutes or so before I can log in again, and that’s with any app, piwigio, nextcloud, etc. It’s just recently I seem to be getting hit a lot, my SSH port number is not the default 22, but I will investigate further.
Thanks very much
Note that if you use a strong passphrase, you should be safe (at least for bruteforce).
Be sure to have up to date apps, and specifically wordpress plugins. Sometimes, tools that scan ssh can try other attacks methods.
Note that it’s quasi “normal” to have your server scanned and some bruteforce attempt onto sshd. IMHO, Yunohost triggers alerts about it in order to make you aware of this kind of risk (and avoid people who don’t put good password/passphrase). It could be also useful to detect some targeted attacks (if you have specific threat model).
An if you really want to stop it, it’s possible to customize settings of fail2ban to be stronger with ban policy.
Please, check that your firewall is working well too. Maybe a check of this command could help
@ljf Thanks for this.
Yes, ALL my passwords for SSH, apps and the YNH admin are massively long and mixed characters. It’s impossible for even me to log in without my password manager!!!
Thanks for the help with this, I think I probably need to do a bit more reading n Fail2Ban, it certainly works as even I have been locked out after getting the password/phrase wrong!
I’m not sure how the Wireguard trick works suggested by @arkadi. My 4 websites have to have public access, as well as piwigo and to a lesser extent Nextcloud. I have a RPi with Wireguard on it so that, if I need to I can log in remotely to do YNH maintenance but that’s about it.
I understand that bot will be hitting on a bunch of public IP ranges now and then in the hope of striking lucky.
Top help and advice though guys, thank you very much.
Wow! I ran this and it was massive… Hundreds of failed attempts using the wrong password and port number. from the 11th of December to now!!
I’m not using port 22 for SSH its 4 digits long. Is it ok to have the port number with more digits, say 6?
Thanks very much
It is useless, attacker can easily scan the server to find out the correct port.
Changing from port 22 to port xxxx only lower the number of dumb attacks (see script kiddies).
Be sure to use the command
sudo yunohost settings set security.ssh.port -v <new_ssh_port_number> to change the SSH port ( see Security | Yunohost Documentation ). Do not change it manually in
Btw for increasing security, you should disable password authentication and only allow pubkey authentication (see link above).
What about the solution of closing port 22 (and any other ssh port) and using the “Shell in a box” App instead (so, using port 443)?
For your information, my yunohost instance is being continuously attacked on ssh for a week (even if i’m not using default ssh port).
But I’m not really scared, because fail2ban is doing its job: more than 650 banned IP since last week!
And yunohost’s internal diagnosis send me an e-mail twice a day to inform that there’s been a suspiciously high number of authentication failures recently.
When I check /var/log/auth.log I can see the connections attempts from various IP allover the world (only IPv4 by the way) with various logins (root, nextcloud, adminweb, wp-admin, … But also random logins like : Jason, Danny, brandon…).
Oh god I wouldnt trust the security of Shell In a Box whatever layer protects it more than I trust good old SSH …
Thanks for that feedback @Aleks!
Just a little post to inform that my server is continuously attacked by ssh connections attempts.
But fail2ban is doing its job: over 1800 IP addresses banned.
I wonder why the attackers go on trying to access my server… Are my personnal data such interesting?
@Benance It’s just a bot that mainly nasty people use that keeps port scanning a batch of ip numbers until it hits lucky, ie it finds a port that’s open and logs it for later exploitation. Sometimes as we all know port scanning can be useful.
I was terrified the first time I saw the amount of hits on my server which is way I raised the concern in the first place.
Personally I have changed the default port number for ssh, removed that port number from my router, so no port forwarding on that port. The only way I can use ssh is either local access or via a vpn that I have in place, just in case I get desperate while I’m away.
Avoid things like Shell in a Box. Sorry to the author of this app but I’d be a bit dubious about accessing my server unless it’s a terminal app. Maybe I’m just old fashioned.
Since making the above changes, I no longer see messages about heavy hits in my server.
Help or harm?
Have a great day
Thanks for your answer.
I’m not scared at all about theses attempts, but I’m very surprised about the number of different IP adresses the attackers use to try to connect.
have a good day.
Probably some botnet, and/or a too short ban duration in f2b.