Solved [Solved] sshd Error messages

[selhan]

Can anyone explain to me why I'm finding this error messages on my server every day, and how can I get rid of this? please.

Example 1:

Jun 4 00:46:46 shell sshd[17263]: error: PAM: authentication error for root from 219.138.135.63
Jun 4 00:46:48 shell sshd[17294]: error: PAM: authentication error for root from 219.138.135.63

Example 2:

login: Jun 4 21:38:41 shell sshd[20901]: error: PAM: authentication error for illegal user admin from 23.97.212.138
Jun 4 21:38:41 shell  sshd[20901]: error: Received disconnected from 23.97.212.138: 3: com.jcraft.jsch.JSchExeption: Auth cancel [preauth]
Jun 4 22:35:48 shell  sshd[21022]: fatal: Read from socket failed: Connection reset by peer [preauth]

Example 3:

Jun 12 15:13:26 shell sshd[68139]: error: PAM: authentication error for illegal user genoveba from host188-177-static.4-79-b.business.telecomitalia.it
Jun 12 15:13:39 shell sshd[68142]: error: PAM: authentication error for illegal user amanda from host188-177-static.4-79-b.business.telecomitalia.it
Jun 12 15:13:45 shell sshd[68145]: error: PAM: authentication error for illegal user dark from host188-177-static.4-79-b.business.telecomitalia.it

I have FreeBSD 9.2
Thank you!

 

[wblock@]

Re: Error messages

People, or rather, bots, are trying to log in to your server by guessing account names. Please make sure that root login by sshd() is not allowed, and it is recommended to only allow login with an SSH key instead of passwords. Many people run security/sshguard to limit these attacks.

 

[selhan]

Re: Error messages

@wblock@,

Really bad news, I didn't expect to be under attack.
Could you please confirm if the two suggestions that you just told me are done by:

Uncommenting

#PermitRootLogin no

in /etc/ssh/sshd_config and following this instructions for login with an SSH key instead of passwords: http://blog.bobbyallen.me/2012/06/26/how-to-secure-your-ssh-server-on-linuxfreebsd/

 

[junovitch@]

Re: Error messages

In /etc/ssh/sshd_config, everything that is commented by default reflects the default settings. You don't need to uncomment this below because it already is disabled.

#PermitRootLogin no

Enabling SSH Key login only however you do have to enable and is probably a must for any box open to the Internet.

 

[selhan]

Re: Error messages

Splendid, Thank you!

 

[kusanagiyang]

Hello,
I have a noob followup question ... I saw these messages on a newly setup freeBSD11 box behind a commercial SOHO home router, e.g. Linksys, Dlink, etc... Does this mean my private network is comprised?? How else do they formulate such login attempts? Those source IPs are routable public IP, and, my sshd is not sitting on any public interface and there is no any forwarding with this box yet. Do I misread any thing? Thanks

 

[Phishfry]

It sounds like your commercial router does not have a firewall. You need to block port 22 otherwise people will be trying to guess their way in.
You should also consider either security/sshguard or security/denyhosts along with tuning your sshd_config.
Moving the SSH port and key based authentication is advised.

https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

 

[kusanagiyang]

Thanks for the swift reply.
I accidentally used an IP, which was DMZed a long time ago, but wasn't turned off... that is a big mystery solved ( phew )