Too many root connection on ssh with fake passwords

General discussion about Zimbra Desktop.
adimate
Posts: 1
Joined: Fri Apr 24, 2015 5:06 am

Too many root connection on ssh with fake passwords

Postby adimate » Fri Apr 24, 2015 5:10 am

Hi,



In my Zimbra log are a lot of messages like "mail sshd[11267]: Failed password for root from xxx.xxx.xxx.xxx port 51664 ssh2".


What should I do to stop access for this ip?


 


Thank you!



phoenix
Ambassador
Ambassador
Posts: 26778
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Too many root connection on ssh with fake passwords

Postby phoenix » Fri Apr 24, 2015 5:15 am

You should not have any vulnerable ports open to the internet and especially port 22, you should access the server via a VPN for admin purposes.

Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
weigenmann
Posts: 25
Joined: Fri Sep 12, 2014 11:16 pm

Too many root connection on ssh with fake passwords

Postby weigenmann » Sat Apr 25, 2015 8:52 pm

For your host OS look up fail2ban that can help with your issue also if you must have ssh enabled.
imanudin11
Outstanding Member
Outstanding Member
Posts: 297
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Too many root connection on ssh with fake passwords

Postby imanudin11 » Mon Apr 27, 2015 8:39 pm

You could change default port SSH 22 to another port. Example 2234. or install denyhost for blocking access if trying login SSH for 3 times failed
**

Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Too many root connection on ssh with fake passwords

Postby jorgedlcruz » Tue Apr 28, 2015 9:03 am

Hi,


If you change the SSH port on your server, please make sure that you reflect this change into Zimbra with the next command:


zmprov ms hostname.yourdomain.com zimbraRemoteManagementPort 10212

You can check then the SSH keys:


ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@hostname.yourdomain.com -p 10212

And if you have any trouble with the SSH keys, then try to regenerate them:


cd /opt/zimbra/bin/
./zmsshkeygen
./zmupdateauthkeys


But one of the best solutions if you can is the one that [mention:7e2acb425685430bb6a16ef93b1c0d0c:e9ed411860ed4f2ba0265705b8793d05] suggested to you, use VPN to access to SSH. If you can't, then change the port, and protect the system using fail2ban, etc.


Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Brad_C
Advanced member
Advanced member
Posts: 106
Joined: Sat Sep 13, 2014 2:33 am

Too many root connection on ssh with fake passwords

Postby Brad_C » Thu Apr 30, 2015 8:23 pm

We've seen a surge in ssh attacks in the last couple of weeks. One good protection is a *strong* root password. You can hide it behind a firewall or vpn, or obfuscate it by changing the port, but there is nothing wrong with just setting a good password, or better still configuring ssh to disallow root login.



The other thing you can do (and its what we do) is set "AllowGroups ssh" in your /etc/ssh/sshd_config file.

This prevents a login on any account that is not a member of the ssh group. Doing it this way means they can try as many times as they like, but they'll only get in if they are trying with the right account, and then get the right password.



When your root account has a randomly chosen 16 character password (because we *never* login as root by password) then you don't need to make it simple or memorable.



root@srv:~# grep "Failed password for root" /var/log/auth.log | wc -l

3477

Return to “General Questions”

Who is online

Users browsing this forum: No registered users and 7 guests