Hardware: VPS bought online / Old laptop or computer / Raspberry Pi (specify version, 0 to 4) at home / Internet Cube with VPN / Other ARM board / … YunoHost version: 11.1.0.2 (testing) I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | … Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no / If yes, please explain:
Description of my issue
This week I will be ‘celebrating’ a full year using yunohost for everything, 4 websites, 2 Nexclouds, piwigo, and email. It has been brilliant, it has never let me down, yet, any problems that I have had have been my own doing, so thanks to all the folk involved in this project. 95% of my online stuff is self-hosted. Very pleased.
So moving on. Every week I clear out old backups on my USB drive to make room for more and while I’m at it I run a diagnosis just to make sure all is well. Today I ran one and got the following:
There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.
I have read Security | Yunohost Documentation and since I started I have had another port for SSH, it was one of the first things I did to change that port number! So I’m wondering if there is anything else I can check. I know my way around my server quite well I think, but Fail2Ban scares me a bit.
Is there anything I should be looking for and where, or is this just flagging up that I have had a lot of hits on,y server recently and shouldn’t be too concerned? I don’t know… I did have this about 6 months ago and it stopped.
Many thanks for any help or guidance with this matter
If F2B is running : sudo yunohost service status fail2ban
The /var/log/auth.log file : do you have a lot of failed authentication attempts ? Are the failed attempts IP banned by F2B ( sudo fail2ban-client status JAIL (replace JAIL by the name of the jail, sshd, yunohost…) ?
configuration: valid
description: Protects against brute-force and other kinds of attacks from the Internet
last_state_change: 2022-12-11 20:53:52
start_on_boot:
Ii did a
nano /var/log/auth.log file
MASSIVE log file… lots of banned attempts…
Finally. Not sure about this one…
sudo fail2ban-client status JAIL
The part about replacing “JAIL with…” Maybe I’m misunderstanding.
@kit Many thanks for your help. I am going to have a look at this again later. I know that fail2ban is working because if I make an error with the password on any of my apps I get locked out for 5 minutes or so before I can log in again, and that’s with any app, piwigio, nextcloud, etc. It’s just recently I seem to be getting hit a lot, my SSH port number is not the default 22, but I will investigate further.
Note that if you use a strong passphrase, you should be safe (at least for bruteforce).
Be sure to have up to date apps, and specifically wordpress plugins. Sometimes, tools that scan ssh can try other attacks methods.
Note that it’s quasi “normal” to have your server scanned and some bruteforce attempt onto sshd. IMHO, Yunohost triggers alerts about it in order to make you aware of this kind of risk (and avoid people who don’t put good password/passphrase). It could be also useful to detect some targeted attacks (if you have specific threat model).
Yes, ALL my passwords for SSH, apps and the YNH admin are massively long and mixed characters. It’s impossible for even me to log in without my password manager!!!
Thanks for the help with this, I think I probably need to do a bit more reading n Fail2Ban, it certainly works as even I have been locked out after getting the password/phrase wrong!
I’m not sure how the Wireguard trick works suggested by @arkadi. My 4 websites have to have public access, as well as piwigo and to a lesser extent Nextcloud. I have a RPi with Wireguard on it so that, if I need to I can log in remotely to do YNH maintenance but that’s about it.
I understand that bot will be hitting on a bunch of public IP ranges now and then in the hope of striking lucky.
Top help and advice though guys, thank you very much.
It is useless, attacker can easily scan the server to find out the correct port.
Changing from port 22 to port xxxx only lower the number of dumb attacks (see script kiddies).
Be sure to use the command sudo yunohost settings set security.ssh.port -v <new_ssh_port_number> to change the SSH port ( see Security | Yunohost Documentation ). Do not change it manually in /etc/ssh/sshd_config.
Btw for increasing security, you should disable password authentication and only allow pubkey authentication (see link above).
For your information, my yunohost instance is being continuously attacked on ssh for a week (even if i’m not using default ssh port).
But I’m not really scared, because fail2ban is doing its job: more than 650 banned IP since last week!
And yunohost’s internal diagnosis send me an e-mail twice a day to inform that there’s been a suspiciously high number of authentication failures recently.
When I check /var/log/auth.log I can see the connections attempts from various IP allover the world (only IPv4 by the way) with various logins (root, nextcloud, adminweb, wp-admin, … But also random logins like : Jason, Danny, brandon…).
Hello
Just a little post to inform that my server is continuously attacked by ssh connections attempts.
But fail2ban is doing its job: over 1800 IP addresses banned.
I wonder why the attackers go on trying to access my server… Are my personnal data such interesting?
@Benance It’s just a bot that mainly nasty people use that keeps port scanning a batch of ip numbers until it hits lucky, ie it finds a port that’s open and logs it for later exploitation. Sometimes as we all know port scanning can be useful.
I was terrified the first time I saw the amount of hits on my server which is way I raised the concern in the first place.
Personally I have changed the default port number for ssh, removed that port number from my router, so no port forwarding on that port. The only way I can use ssh is either local access or via a vpn that I have in place, just in case I get desperate while I’m away.
Avoid things like Shell in a Box. Sorry to the author of this app but I’d be a bit dubious about accessing my server unless it’s a terminal app. Maybe I’m just old fashioned.
Since making the above changes, I no longer see messages about heavy hits in my server.
Thanks for your answer.
I’m not scared at all about theses attempts, but I’m very surprised about the number of different IP adresses the attackers use to try to connect.
have a good day.
