Hi,
In my Zimbra log are a lot of messages like "mail sshd[11267]: Failed password for root from xxx.xxx.xxx.xxx port 51664 ssh2".
What should I do to stop access for this ip?
Thank you!
Too many root connection on ssh with fake passwords
Too many root connection on ssh with fake passwords
You should not have any vulnerable ports open to the internet and especially port 22, you should access the server via a VPN for admin purposes.
-
weigenmann
- Posts: 25
- Joined: Fri Sep 12, 2014 11:16 pm
Too many root connection on ssh with fake passwords
For your host OS look up fail2ban that can help with your issue also if you must have ssh enabled.
-
imanudin11
- Outstanding Member
- Posts: 297
- Joined: Sat Sep 13, 2014 2:23 am
- ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
- Contact:
Too many root connection on ssh with fake passwords
You could change default port SSH 22 to another port. Example 2234. or install denyhost for blocking access if trying login SSH for 3 times failed
**
Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
-
jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Too many root connection on ssh with fake passwords
Hi,
If you change the SSH port on your server, please make sure that you reflect this change into Zimbra with the next command:
zmprov ms hostname.yourdomain.com zimbraRemoteManagementPort 10212
You can check then the SSH keys:
ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@hostname.yourdomain.com -p 10212
And if you have any trouble with the SSH keys, then try to regenerate them:
cd /opt/zimbra/bin/
./zmsshkeygen
./zmupdateauthkeys
But one of the best solutions if you can is the one that [mention:7e2acb425685430bb6a16ef93b1c0d0c:e9ed411860ed4f2ba0265705b8793d05] suggested to you, use VPN to access to SSH. If you can't, then change the port, and protect the system using fail2ban, etc.
Best regards
Too many root connection on ssh with fake passwords
We've seen a surge in ssh attacks in the last couple of weeks. One good protection is a *strong* root password. You can hide it behind a firewall or vpn, or obfuscate it by changing the port, but there is nothing wrong with just setting a good password, or better still configuring ssh to disallow root login.
The other thing you can do (and its what we do) is set "AllowGroups ssh" in your /etc/ssh/sshd_config file.
This prevents a login on any account that is not a member of the ssh group. Doing it this way means they can try as many times as they like, but they'll only get in if they are trying with the right account, and then get the right password.
When your root account has a randomly chosen 16 character password (because we *never* login as root by password) then you don't need to make it simple or memorable.
root@srv:~# grep "Failed password for root" /var/log/auth.log | wc -l
3477
The other thing you can do (and its what we do) is set "AllowGroups ssh" in your /etc/ssh/sshd_config file.
This prevents a login on any account that is not a member of the ssh group. Doing it this way means they can try as many times as they like, but they'll only get in if they are trying with the right account, and then get the right password.
When your root account has a randomly chosen 16 character password (because we *never* login as root by password) then you don't need to make it simple or memorable.
root@srv:~# grep "Failed password for root" /var/log/auth.log | wc -l
3477
Who is online
Users browsing this forum: No registered users and 5 guests