[GH-ISSUE #5] Too many authentication failures #3

New issue

Closed

opened 2026-03-03 13:58:09 +03:00 by kerem · 29 comments

kerem commented 2026-03-03 13:58:09 +03:00

Owner

Copy link

Originally created by @pascalandy on GitHub (Jul 20, 2017).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/5

Hi,

Everything looks to install normally. I use Packet.net. When I reboot and log (via SSH of course) I get this error:

Received disconnect from 123:123:123:123: 2: Too many authentication failures

I guess there is some rule that are too severe. I looked at the scripts but didn't see how I could fix this.

Thank you!

Originally created by @pascalandy on GitHub (Jul 20, 2017). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/5 Hi, Everything looks to install normally. I use Packet.net. When I reboot and log (via SSH of course) I get this error: > Received disconnect from 123:123:123:123: 2: Too many authentication failures I guess there is some rule that are too severe. I looked at the scripts but didn't see how I could fix this. Thank you!

kerem closed this issue 2026-03-03 13:58:09 +03:00

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Jul 20, 2017):

Looks like https://github.com/konstruktoid/hardening/blob/master/ubuntu.sh#L24 should call https://github.com/konstruktoid/hardening/blob/master/scripts/02_ufw

Curious to know why the names are different.

<!-- gh-comment-id:316841694 --> @pascalandy commented on GitHub (Jul 20, 2017): Looks like https://github.com/konstruktoid/hardening/blob/master/ubuntu.sh#L24 should call https://github.com/konstruktoid/hardening/blob/master/scripts/02_ufw Curious to know why the names are different.

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Aug 4, 2017):

Thanks for the report @pascalandy and sorry for such a late reply, but f_firewall is present as function f_firewall in https://github.com/konstruktoid/hardening/blob/master/scripts/02_ufw. Regarding the naming; functions can't be numbers, since it's not a valid identifier.

Please increase MaxAuthTries (https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L25-L29) and see if the problem persists.

<!-- gh-comment-id:320352471 --> @konstruktoid commented on GitHub (Aug 4, 2017): Thanks for the report @pascalandy and sorry for such a late reply, but `f_firewall` is present as `function f_firewall` in https://github.com/konstruktoid/hardening/blob/master/scripts/02_ufw. Regarding the naming; functions can't be numbers, since it's not a valid identifier. Please increase `MaxAuthTries` (https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L25-L29) and see if the problem persists.

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 4, 2017):

I'm actually provisioning new machines.
I think you should use branches to develop feature and ensure master is always your golden copy :)

<!-- gh-comment-id:327034240 --> @pascalandy commented on GitHub (Sep 4, 2017): I'm actually provisioning new machines. I think you should use branches to develop feature and ensure master is always your golden copy :)

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 4, 2017):

Same error.

Authorized users only. All activity may be monitored and reported.
Received disconnect from 123.123.123: 2: Too many authentication failures

I also saw few error when the scripts started:

[12] /etc/hosts.allow and /etc/hosts.deny
[13] /etc/issue
[14] /etc/login.defs
[15] /etc/sysctl.conf
./scripts/13_sysctl: line 12: /sys/module/nf_conntrack/parameters/hashsize: No such file or directory
[1] /etc/security/limits.conf
[2] /etc/adduser.conf and /etc/default/useradd
[3] root access
[4] Installing base packages
./scripts/17_packages: line 4: dmidecode: command not found
./scripts/17_packages: line 8: dmidecode: command not found
Selecting previously unselected package acct.
(Reading database ... 25242 files and directories currently installed.)
Preparing to unpack .../acct_6.5.5-2.1ubuntu1_amd64.deb ...
Unpacking acct (6.5.5-2.1ubuntu1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu19) ...
Setting up acct (6.5.5-2.1ubuntu1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults

It's sad as I would love to use your template. I really enjoy the way you organized this project. Keep up the good work.

Cheers!

<!-- gh-comment-id:327035568 --> @pascalandy commented on GitHub (Sep 4, 2017): Same error. ``` Authorized users only. All activity may be monitored and reported. Received disconnect from 123.123.123: 2: Too many authentication failures ``` I also saw few error when the scripts started: ``` [12] /etc/hosts.allow and /etc/hosts.deny [13] /etc/issue [14] /etc/login.defs [15] /etc/sysctl.conf ./scripts/13_sysctl: line 12: /sys/module/nf_conntrack/parameters/hashsize: No such file or directory [1] /etc/security/limits.conf [2] /etc/adduser.conf and /etc/default/useradd [3] root access [4] Installing base packages ./scripts/17_packages: line 4: dmidecode: command not found ./scripts/17_packages: line 8: dmidecode: command not found Selecting previously unselected package acct. (Reading database ... 25242 files and directories currently installed.) Preparing to unpack .../acct_6.5.5-2.1ubuntu1_amd64.deb ... Unpacking acct (6.5.5-2.1ubuntu1) ... Processing triggers for man-db (2.7.5-1) ... Processing triggers for systemd (229-4ubuntu19) ... Setting up acct (6.5.5-2.1ubuntu1) ... update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults ``` It's sad as I would love to use your template. I really enjoy the way you organized this project. Keep up the good work. Cheers!

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 5, 2017):

Hi again @pascalandy, I find it odd you're missing nf_conntrack/parameters/hashsize and dmidecode. Could you provide more details about the machines you are provisioning?

And regarding branches; you're absolutely right, I've just been lazy when it comes to my own repositories. Will start a develop branch right away.

<!-- gh-comment-id:327093104 --> @konstruktoid commented on GitHub (Sep 5, 2017): Hi again @pascalandy, I find it odd you're missing `nf_conntrack/parameters/hashsize` and `dmidecode`. Could you provide more details about the machines you are provisioning? And regarding branches; you're absolutely right, I've just been lazy when it comes to my own repositories. Will start a develop branch right away.

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 5, 2017):

Using the Vagrantfile for testing, I'm not having any issues with nf_conntrack/parameters/hashsize or dmidecode on Xenial, Zesty, Yakkety or Artful.

<!-- gh-comment-id:327111721 --> @konstruktoid commented on GitHub (Sep 5, 2017): Using the Vagrantfile for testing, I'm not having any issues with `nf_conntrack/parameters/hashsize` or `dmidecode` on Xenial, Zesty, Yakkety or Artful.

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 5, 2017):

I know there is always little subtle differences between cloud providers that break my scripts. I'm not using Ansible or Terraform at this point.

As I said, I provision bare-metal server on packet.net (type 0). If you want, I would be glad to do a live session with. We we could provision machines on the spot and test till we find the issue.

I use a standard Ubuntu 16.04 fresh install each time. Packet is known to have fresh images.

<!-- gh-comment-id:327143287 --> @pascalandy commented on GitHub (Sep 5, 2017): I know there is always little subtle differences between cloud providers that break my scripts. I'm not using Ansible or Terraform at this point. As I said, I provision bare-metal server on packet.net (type 0). If you want, I would be glad to do a live session with. We we could provision machines on the spot and test till we find the issue. I use a standard Ubuntu 16.04 fresh install each time. Packet is known to have fresh images.

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 5, 2017):

Adding test if nf_conntrack/parameters/hashsize or dmidecode are missing.
Just to verify, can you check if the nf_conntrack kernel module is loaded?

<!-- gh-comment-id:327185548 --> @konstruktoid commented on GitHub (Sep 5, 2017): Adding test if `nf_conntrack/parameters/hashsize` or `dmidecode` are missing. Just to verify, can you check if the `nf_conntrack` kernel module is loaded?

kerem commented 2026-03-03 13:58:11 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 5, 2017):

Tests added and dmidecode replaced with dmesg; github.com/konstruktoid/hardening@e5d51ab15b

<!-- gh-comment-id:327277337 --> @konstruktoid commented on GitHub (Sep 5, 2017): Tests added and dmidecode replaced with dmesg; https://github.com/konstruktoid/hardening/commit/e5d51ab15ba02bdf0c93ee68797a3f5299a4aa8b

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 6, 2017):

Not sure if I should do something here.

<!-- gh-comment-id:327344423 --> @pascalandy commented on GitHub (Sep 6, 2017): Not sure if I should do something here.

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 6, 2017):

Any failures after github.com/konstruktoid/hardening@e5d51ab15b?
And nf_conntrack/parameters/hashsize is only present if the nf_conntrack module is loaded.

<!-- gh-comment-id:327389478 --> @konstruktoid commented on GitHub (Sep 6, 2017): Any failures after https://github.com/konstruktoid/hardening/commit/e5d51ab15ba02bdf0c93ee68797a3f5299a4aa8b? And `nf_conntrack/parameters/hashsize` is only present if the `nf_conntrack` module is loaded.

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 6, 2017):

OK will try !

<!-- gh-comment-id:327462272 --> @pascalandy commented on GitHub (Sep 6, 2017): OK will try !

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 6, 2017):

Same error. Btw I use root to login. Is it ok?

> ➜  _infra git:(2.05) ssh root@$IP_PUBL_NODE_21 -p22;

Authorized users only. All activity may be monitored and reported.

Received disconnect from 123.123.123.12: 2: Too many authentication failures
Disconnected from 123.123.123.12

<!-- gh-comment-id:327527136 --> @pascalandy commented on GitHub (Sep 6, 2017): Same error. Btw I use root to login. Is it ok? ``` > ➜ _infra git:(2.05) ssh root@$IP_PUBL_NODE_21 -p22; Authorized users only. All activity may be monitored and reported. Received disconnect from 123.123.123.12: 2: Too many authentication failures Disconnected from 123.123.123.12 ```

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 7, 2017):

No, root is not allowed to log in.
https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L11

<!-- gh-comment-id:327713006 --> @konstruktoid commented on GitHub (Sep 7, 2017): No, `root` is not allowed to log in. https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L11

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 7, 2017):

Ok. In this case, which user should I use?

<!-- gh-comment-id:327794378 --> @pascalandy commented on GitHub (Sep 7, 2017): Ok. In this case, which user should I use?

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 7, 2017):

It's all about how you provision your servers, root should never be allowed to login and can be locked (https://github.com/konstruktoid/hardening/blob/master/scripts/36_lockroot), create a user and use sudo to gain superuser privileges instead. If not possible, change PermitRootLogin to yes in the sshd-config file and unlock the root user.

<!-- gh-comment-id:327799782 --> @konstruktoid commented on GitHub (Sep 7, 2017): It's all about how you provision your servers, `root` should never be allowed to login and can be locked (https://github.com/konstruktoid/hardening/blob/master/scripts/36_lockroot), create a user and use `sudo` to gain superuser privileges instead. If not possible, change `PermitRootLogin` to `yes` in the sshd-config file and unlock the `root` user.

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 7, 2017):

Alright, I thought this project was creating a new user somewhere along the line. So all my

Authorized users only. All activity may be monitored and reported.
Received disconnect from 123.123.123.12: 2: Too many authentication failures

maybe due to the fact I was using root :-p Will let you know !

<!-- gh-comment-id:327802659 --> @pascalandy commented on GitHub (Sep 7, 2017): Alright, I thought this project was creating a new user somewhere along the line. So all my > Authorized users only. All activity may be monitored and reported. Received disconnect from 123.123.123.12: 2: Too many authentication failures maybe due to the fact I was using root :-p Will let you know !

kerem commented 2026-03-03 13:58:12 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 14, 2017):

in /etc/ssh/sshd_config I changed update PermitRootLogin no to PermitRootLogin yes
and I'm still locked down.

EDIT: I also tried to bypass https://raw.githubusercontent.com/konstruktoid/hardening/master/scripts/36_lockroot

same result.

<!-- gh-comment-id:329573460 --> @pascalandy commented on GitHub (Sep 14, 2017): in /etc/ssh/sshd_config I changed update PermitRootLogin no to PermitRootLogin yes and I'm still locked down. EDIT: I also tried to bypass https://raw.githubusercontent.com/konstruktoid/hardening/master/scripts/36_lockroot same result.

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 15, 2017):

Does it work if you create a normal user and try to connect?

<!-- gh-comment-id:329750143 --> @konstruktoid commented on GitHub (Sep 15, 2017): Does it work if you create a normal user and try to connect?

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 15, 2017):

I did start to create a user but then many thing breaks ... At this point I can't confirm.

<!-- gh-comment-id:329788647 --> @pascalandy commented on GitHub (Sep 15, 2017): I did start to create a user but then many thing breaks ... At this point I can't confirm.

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 18, 2017):

What did break?

<!-- gh-comment-id:330148737 --> @konstruktoid commented on GitHub (Sep 18, 2017): What did break?

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 18, 2017):

Since the root user shouldn't be allowed to remotely access a system or be used as a normal user, there are multiple configurations that need to be changed, eg:
https://github.com/konstruktoid/hardening/blob/master/scripts/16_rootaccess#L4
https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L11
https://github.com/konstruktoid/hardening/blob/master/scripts/36_lockroot#L4

<!-- gh-comment-id:330149495 --> @konstruktoid commented on GitHub (Sep 18, 2017): Since the `root` user shouldn't be allowed to remotely access a system or be used as a normal user, there are multiple configurations that need to be changed, eg: https://github.com/konstruktoid/hardening/blob/master/scripts/16_rootaccess#L4 https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L11 https://github.com/konstruktoid/hardening/blob/master/scripts/36_lockroot#L4

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 18, 2017):

What did break?

Mostly my existing scripts, ssh keys.

<!-- gh-comment-id:330186080 --> @pascalandy commented on GitHub (Sep 18, 2017): > What did break? Mostly my existing scripts, ssh keys.

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 18, 2017):

I see the 3 lines you point out are SEDs.
Should I just delete those lines and root will stays untouched

<!-- gh-comment-id:330186705 --> @pascalandy commented on GitHub (Sep 18, 2017): I see the 3 lines you point out are SEDs. Should I just delete those lines and `root` will stays untouched

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Sep 18, 2017):

Without logs it's pretty tricky to pinpoint the exact cause of the failures.
I believe so, but consider not using the root account at all.

<!-- gh-comment-id:330187305 --> @konstruktoid commented on GitHub (Sep 18, 2017): Without logs it's pretty tricky to pinpoint the exact cause of the failures. I believe so, but consider not using the root account at all.

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@pascalandy commented on GitHub (Sep 18, 2017):

I'm OK with using root at the moment. Fully aware that I must move on with a new another user in the future.
I'll try https://github.com/konstruktoid/hardening/issues/5#issuecomment-330149495

<!-- gh-comment-id:330195158 --> @pascalandy commented on GitHub (Sep 18, 2017): I'm OK with using root at the moment. Fully aware that I must move on with a new another user in the future. I'll try https://github.com/konstruktoid/hardening/issues/5#issuecomment-330149495

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Oct 31, 2017):

Closing due to inactivity.

<!-- gh-comment-id:340707585 --> @konstruktoid commented on GitHub (Oct 31, 2017): Closing due to inactivity.

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@rams3sh commented on GitHub (May 9, 2022):

I faced a similar issue and I dont login with root but with another custom user using certificate based login.

SSH has a default behaviour of trying through all ssh keys present as part of your default ~/.ssh/ folder before trying the one passed using -i option. This tweet explains the issue and also has a solution which was helpful for me in solving the problem.

Posting it here just in case if it helps anyone else who faces a similar issue as myself in future.

Link: https://twitter.com/podalirius_/status/1422123401855049730

<!-- gh-comment-id:1121425567 --> @rams3sh commented on GitHub (May 9, 2022): I faced a similar issue and I dont login with root but with another custom user using certificate based login. SSH has a default behaviour of trying through all ssh keys present as part of your default `~/.ssh/` folder before trying the one passed using `-i` option. This tweet explains the issue and also has a solution which was helpful for me in solving the problem. Posting it here just in case if it helps anyone else who faces a similar issue as myself in future. Link: https://twitter.com/podalirius_/status/1422123401855049730

kerem commented 2026-03-03 13:58:13 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (May 9, 2022):

Thanks @rams3sh!
ssh -i ./keys/id_rsa user@remote.host.org -v -o IdentitiesOnly=true is the TL;DR

<!-- gh-comment-id:1121594853 --> @konstruktoid commented on GitHub (May 9, 2022): Thanks @rams3sh! `ssh -i ./keys/id_rsa user@remote.host.org -v -o IdentitiesOnly=true` is the TL;DR

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/github-codeql-action-4.x

v2.2.0

v2.1.0

v2.0.0

v1.0.0

v1.0

Labels

Clear labels   

Stale

  

bug

  

bug

  

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

Stale

bug

bug

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hardening#3

No description provided.