Password Auth Disabled, Brute force still attempted

Update: Since I don’t have a static IP at home I was a little hesitant to limit ssh to a specific IP, but I had an epiphany that I’m sad to admit took me so long. I logged in and changed the VPS firewall to allow ssh from my home IP only. Since I can login to that console from anywhere I can update my SSH allow IP to my home IP as needed and I left the ssh to rate limited allow all in the server. This is effective, but it does not address my concern on how these attacks are even happening and to further my knowledge I would like know if anyone can help.

So, I have setup public keys, disabled password authentication in sshd_config/ssh_config, disabled weak and insecure algorithms like nistp, disabled root login and set my “AllowUsers” list. Somehow fail2ban is still logging hundreds of access attempts that are bumping my CPU usage. How are attackers able to seemingly bypass public key requirements to even attempt passwords? PAM maybe? If thats it, how can I secure it without breaking mail? I believe Mailinabox needs PAM, but maybe I’m wrong. Maybe I should enable 2FA in PAM? I didnt think it was necessary since I strictly use public keys anyway, but maybe I was wrong. I thought these attackes were on the login page at first, but they’re almost all ssh attempts. I have attempted to ssh with passwords and it rejects me, so I even tried telnet and had no luck. I may not be the worlds greatest Linux admin, but this is not my first rodeo and I have never had an issue blocking password logins before. I’m sure I’m just missing something, but I’m afraid to do anymore and break my server before I ask the experts.

sshd config:
LoginGraceTime 1m
PermitRootLogin no
MaxAuthTries 3
PublkeyAuthentication yes
KbdInteractiveAuthentication no
PasswordAuthentication no

Most of these below are root and blocked by the “AllowUsers” list, but 12 hours ago it was a bunch of “ftpadmin, alexie, abcdefg, trevor” etc etc, but it still shows my point. How are they able to even attempt password ssh?

Dec 11 13:22:00 box sshd[1180344]: User root from 138.2.152.212 not allowed because not listed in AllowUsers
Dec 11 13:22:00 box sshd[1180344]: Received disconnect from 138.2.152.212 port 36124:11: Bye Bye [preauth]
Dec 11 13:22:00 box sshd[1180344]: Disconnected from invalid user root 138.2.152.212 port 36124 [preauth]
Dec 11 13:22:01 box sshd[1180346]: Invalid user bcr from 103.176.78.20 port 36398
Dec 11 13:22:02 box sshd[1180346]: Received disconnect from 103.176.78.20 port 36398:11: Bye Bye [preauth]
Dec 11 13:22:02 box sshd[1180346]: Disconnected from invalid user bcr 103.176.78.20 port 36398 [preauth]
Dec 11 13:22:22 box sshd[1180350]: User root from 20.37.36.107 not allowed because not listed in AllowUsers
Dec 11 13:22:22 box sshd[1180350]: Received disconnect from 20.37.36.107 port 36498:11: Bye Bye [preauth]

Any help is appreciated, this has been driving me nuts for a couple of days and everything I tried seems to do absolutely nothing to help.

Hi,

My box doesn’t have any “…not allowed because not listed in AllowUsers” lines in the log, just the “…invalid user” lines.

Have you restarted the sshd service after you updated the config - from memory sudo service ssh restart will do the trick?

(Personally I like to reboot the server after any significant changes - a service restart should be enough but it’s nice to know everything comes up nicely.)

Also, if you want to limit the attacks, you could try the security-by-obscurity method. Change the sshd config so it’s listening on some other port (not the standard 22) - anything unused below 1024 should be ok.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.