mirror of
https://github.com/konstruktoid/hardening.git
synced 2026-04-26 01:05:56 +03:00
[GH-ISSUE #150] SSH breaks #62
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @0x-Stealth on GitHub (Jul 5, 2022).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/150
Originally assigned to: @konstruktoid on GitHub.
{{ tools.context.actor }}: {{ tools.context.sha }}
After running this script, you become unable to log into ssh, the port still works but nomatter what you put, it's always a Access Denied error, or max number of retries with always the right password
@0x-Stealth commented on GitHub (Jul 5, 2022):
VNC works perfect, but SSH just doesn't
@konstruktoid commented on GitHub (Jul 5, 2022):
Hi @Stealthr and thanks for reporting this.
Could you please include the
sshdlog with a failed login attempt?@0x-Stealth commented on GitHub (Jul 5, 2022):
What do you mean?
@konstruktoid commented on GitHub (Jul 6, 2022):
what is the actual error message? can you paste a log with a failed login attempt?
sudo journalctl -r -u ssh@0x-Stealth commented on GitHub (Jul 9, 2022):
I physically cannot connect to the server, unless I remove the UFW rule, then I still really can't connect to it because I can't sign in. I'll send a lon in a sec @konstruktoid
@0x-Stealth commented on GitHub (Jul 9, 2022):
Jul 09 02:35:37 vmi855967.contaboserver.net sshd[3970]: Connection closed by invalid user support 179.60.147.74 port 30374 [preauth]
Jul 09 02:35:34 vmi855967.contaboserver.net sshd[3970]: Failed password for invalid user support from 179.60.147.74 port 30374 ssh2
Jul 09 02:35:32 vmi855967.contaboserver.net sshd[3970]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=179.60.147.74
Jul 09 02:35:32 vmi855967.contaboserver.net sshd[3970]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:35:32 vmi855967.contaboserver.net sshd[3970]: Invalid user support from 179.60.147.74 port 30374
Jul 09 02:30:53 vmi855967.contaboserver.net sshd[3967]: Connection closed by 106.12.163.64 port 56470 [preauth]
Jul 09 02:27:08 vmi855967.contaboserver.net sshd[3963]: Connection closed by invalid user admin 114.35.118.190 port 50890 [preauth]
Jul 09 02:27:02 vmi855967.contaboserver.net sshd[3963]: Failed password for invalid user admin from 114.35.118.190 port 50890 ssh2
Jul 09 02:27:00 vmi855967.contaboserver.net sshd[3963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.35.118.190
Jul 09 02:27:00 vmi855967.contaboserver.net sshd[3963]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:27:00 vmi855967.contaboserver.net sshd[3963]: Invalid user admin from 114.35.118.190 port 50890
Jul 09 02:24:44 vmi855967.contaboserver.net sshd[3960]: Connection closed by authenticating user root 186.147.160.189 port 52920 [preauth]
Jul 09 02:24:43 vmi855967.contaboserver.net sshd[3960]: Failed password for root from 186.147.160.189 port 52920 ssh2
Jul 09 02:24:41 vmi855967.contaboserver.net sshd[3960]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.147.160.189 user=root
Jul 09 02:19:32 vmi855967.contaboserver.net sshd[3957]: Connection closed by invalid user admin 59.5.105.172 port 56925 [preauth]
Jul 09 02:19:29 vmi855967.contaboserver.net sshd[3957]: Failed password for invalid user admin from 59.5.105.172 port 56925 ssh2
Jul 09 02:19:27 vmi855967.contaboserver.net sshd[3957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.5.105.172
Jul 09 02:19:27 vmi855967.contaboserver.net sshd[3957]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:19:27 vmi855967.contaboserver.net sshd[3957]: Invalid user admin from 59.5.105.172 port 56925
Jul 09 02:19:16 vmi855967.contaboserver.net sshd[3955]: Disconnecting invalid user oracle 210.246.47.176 port 49274: Change of username or service not allowed: (oracle,ssh-connection>
Jul 09 02:19:13 vmi855967.contaboserver.net sshd[3955]: Failed password for invalid user oracle from 210.246.47.176 port 49274 ssh2
Jul 09 02:19:11 vmi855967.contaboserver.net sshd[3955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.246.47.176
Jul 09 02:19:11 vmi855967.contaboserver.net sshd[3955]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:19:11 vmi855967.contaboserver.net sshd[3955]: Invalid user oracle from 210.246.47.176 port 49274
Jul 09 02:02:58 vmi855967.contaboserver.net sshd[3938]: Connection closed by invalid user support 179.60.147.74 port 61124 [preauth]
@konstruktoid commented on GitHub (Jul 9, 2022):
I assume that's a public server due to all various usernames logging in.
Have you added the user group of the user you're trying to log in with to
SSH_GRPSand have you added the IP or IP-range the user is allowed to logged in from toFW_ADMIN?@0x-Stealth commented on GitHub (Jul 9, 2022):
it's not even public, just realised people wee prob trying to bruteforce or smth, but it's irrelevant rn, idk what SSH_GRPS or how to add anything to it or what the oher thing is
@konstruktoid commented on GitHub (Jul 9, 2022):
If someone or something is able to connect to your server trying to bruteforce and login, then it's most likely public.
The two variables are described in the documentation: https://github.com/konstruktoid/hardening#configuration-options
@konstruktoid commented on GitHub (Jul 14, 2022):
Closing since the necessary options are described in the documentation.