How to harden against SSH brute-forcing?
-
I don't know about Netbird specifically, but adding a VPN does a few things:
- a port scan of your VPS/router won't show an SSH or VPN port active - Wireguard only acknowledges packets if your key is valid (massively more useful than just changing the port)
- compromising both a VPN and SSH is difficult, you'd have to chain exploits together
- if your VPN is hosted by a separate service (e.g. something like Tailscale), it will be very unlikely to share vulnerabilities with your hosted SSH server
Ok, fair point. But why stop at one vpn? I choose to trust OpenSSH, but I agree that adding a secondary layer of security actually helps here. You basically multiply two very low probabilities to get an even lower one. The trade-off is that you add complexity. You now need to keep two services up to date, and correctly configured and access/key material distributed.
I'd only recommend this setup for projects with special security requirements.
-
A lot of things are "fine", but the cost of adding Netbird to your VPS is effectively zero, whether counted in dollars, time, or convenience.
Given the massive security benefits of using a VPN, and the lack of any meaningful downside to doing so, you'd be an idiot not to.
I don't agree about the point concerning cost. You have additional training, update, maintenance and config burden. This on top of the burdon of using the VPN on top of ssh.
-
Fail2ban blocks IPs that fail to connect repeatedly. A honeypot pretends fails worked and gives them a worthless environment to try to exploit. The purpose of fail2ban is to block attacks, the purpose of a honeypot is amusement and to waste attackers' time.
-
Regarding SSH Keys, I was wondering how you keep your key safe and potentially usable from another client?
Be sure to use a passphrase
-
Fail2ban blocks IPs that fail to connect repeatedly. A honeypot pretends fails worked and gives them a worthless environment to try to exploit. The purpose of fail2ban is to block attacks, the purpose of a honeypot is amusement and to waste attackers' time.
-
Still no. Here's the reasoning: A well known SSHd is the most secure codebase you'll find out there. With key-based login only, it's not possible to brute force entry. Thus, changing port or running fail2ban doesn't add anything to the security of your system, it just gets rid of bot login log entries and some - very minimal - resource usage.
If there's a public SSHd exploit out, attackers will portscan and and find your SSHd anyway. If there's a 0-day out it's the same.
(your points 4 and 5 are outside the scope of the SSH discussion)
It's also one of the biggest targets for attack. Here's a somewhat recent CVE and here is another. Staying on top of security patches is absolutely critical, and many don't do that.
The best security practice is to layer your protections.
your points 4 and 5 are outside the scope of the SSH discussion
They're not about SSH, sure, but they are relevant to securing a system to remote access. Always assume your security infra will be compromised and plan accordingly. Generally speaking, the more layers, the better.
-
Regarding SSH Keys, I was wondering how you keep your key safe and potentially usable from another client?
You could get a hardware key (like a Yubikey) and authenticate with PIV or GPG.
-
Recently, I discovered that SSH of my VPS server is constantly battered as follows.
Apr 06 11:15:14 abastro-personal-arm sshd[102702]: Unable to negotiate with 218.92.0.201 port 53768: no matching key exchange method found. Their offer: diffie> Apr 06 11:30:29 abastro-personal-arm sshd[102786]: Unable to negotiate with 218.92.0.207 port 18464: no matching key exchange method found. Their offer: diffie> Apr 06 11:45:36 abastro-personal-arm sshd[102881]: Unable to negotiate with 218.92.0.209 port 59634: no matching key exchange method found. Their offer: diffie> Apr 06 12:01:02 abastro-personal-arm sshd[103019]: Unable to negotiate with 218.92.0.203 port 16976: no matching key exchange method found. Their offer: diffie> Apr 06 12:05:49 abastro-personal-arm sshd[103066]: Unable to negotiate with 218.92.0.212 port 49130: no matching key exchange method found. Their offer: diffie> Apr 06 12:07:09 abastro-personal-arm sshd[103077]: Connection closed by 162.142.125.122 port 56110 [preauth] Apr 06 12:12:18 abastro-personal-arm sshd[103154]: Connection closed by 45.79.181.223 port 22064 [preauth] Apr 06 12:12:19 abastro-personal-arm sshd[103156]: Connection closed by 45.79.181.223 port 22078 [preauth] Apr 06 12:12:20 abastro-personal-arm sshd[103158]: Connection closed by 45.79.181.223 port 22112 [preauth] Apr 06 12:21:26 abastro-personal-arm sshd[103253]: Connection closed by 118.25.174.89 port 36334 [preauth] Apr 06 12:23:39 abastro-personal-arm sshd[103282]: Unable to negotiate with 218.92.0.252 port 59622: no matching key exchange method found. Their offer: diffie> Apr 06 12:26:38 abastro-personal-arm sshd[103312]: Connection closed by 92.118.39.73 port 44400 Apr 06 12:32:22 abastro-personal-arm sshd[103373]: Unable to negotiate with 218.92.0.203 port 57092: no matching key exchange method found. Their offer: diffie> Apr 06 12:49:48 abastro-personal-arm sshd[103556]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53675 ssh2 [preauth] Apr 06 12:49:48 abastro-personal-arm sshd[103556]: Disconnecting authenticating user root 98.22.89.155 port 53675: Too many authentication failures [preauth] Apr 06 12:49:51 abastro-personal-arm sshd[103558]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53775 ssh2 [preauth] Apr 06 12:49:51 abastro-personal-arm sshd[103558]: Disconnecting authenticating user root 98.22.89.155 port 53775: Too many authentication failures [preauth] Apr 06 12:49:53 abastro-personal-arm sshd[103561]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53829 ssh2 [preauth] Apr 06 12:49:53 abastro-personal-arm sshd[103561]: Disconnecting authenticating user root 98.22.89.155 port 53829: Too many authentication failures [preauth] Apr 06 12:49:54 abastro-personal-arm sshd[103563]: Connection closed by 98.22.89.155 port 53862 [preauth] Apr 06 12:50:41 abastro-personal-arm sshd[103576]: Invalid user from 75.12.134.50 port 36312 Apr 06 12:54:26 abastro-personal-arm sshd[103621]: Connection closed by 165.140.237.71 port 54236 Apr 06 13:01:26 abastro-personal-arm sshd[103702]: Connection closed by 193.32.162.132 port 33380 Apr 06 13:03:40 abastro-personal-arm sshd[103724]: Unable to negotiate with 218.92.0.204 port 60446: no matching key exchange method found. Their offer: diffie> Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Received disconnect from 165.140.237.71 port 50952:11: [preauth] Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Disconnected from authenticating user root 165.140.237.71 port 50952 [preauth] Apr 06 13:19:08 abastro-personal-arm sshd[103897]: Unable to negotiate with 218.92.0.208 port 59274: no matching key exchange method found. Their offer: diffie> Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Received disconnect from 165.140.237.71 port 50738:11: [preauth] Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Disconnected from authenticating user ubuntu 165.140.237.71 port 50738 [preauth] Apr 06 13:34:50 abastro-personal-arm sshd[104079]: Unable to negotiate with 218.92.0.204 port 44816: no matching key exchange method found. Their offer: diffie> Apr 06 13:50:32 abastro-personal-arm sshd[104249]: Unable to negotiate with 218.92.0.206 port 27286: no matching key exchange method found. Their offer: diffie> Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Received disconnect from 165.140.237.71 port 50528:11: [preauth] Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Disconnected from authenticating user root 165.140.237.71 port 50528 [preauth] Apr 06 14:01:25 abastro-personal-arm sshd[104351]: Invalid user from 65.49.1.29 port 18519 Apr 06 14:01:28 abastro-personal-arm sshd[104351]: Connection closed by invalid user 65.49.1.29 port 18519 [preauth]As you can see, it is happening quite frequently, and I am worried one might break in at some point. Since SSH access guards users with root-access, it can be quite serious once penetrated.
How do I harden against these kind of attacks? Because this is VPS, disabling SSH is a no-go (SSH is my only entry of access). Are there ways to stop some of these attackers?As always, thanks in advance!
In addition to what others say, I also have ntfy notifications on successful login.
-
I don't agree about the point concerning cost. You have additional training, update, maintenance and config burden. This on top of the burdon of using the VPN on top of ssh.
This is the selfhosted community; Who are you training? In most cases there's literally only one person who would ever need SSH access to this server. Maybe two or three in a tiny handful of cases, but anyone who can't figure out Netbird in 30 seconds absolutely should not be accessing anything via SSH.
And you've clearly never used Netbird, Tailscale, or any similar service, if you think that update, maintenance and config constitute any kind of meaningful burden, especially for something as simple as remote access to a VPS.
-
Ok, fair point. But why stop at one vpn? I choose to trust OpenSSH, but I agree that adding a secondary layer of security actually helps here. You basically multiply two very low probabilities to get an even lower one. The trade-off is that you add complexity. You now need to keep two services up to date, and correctly configured and access/key material distributed.
I'd only recommend this setup for projects with special security requirements.
why stop at one vpn
Because an additional one adds a different type of security unrelated to securing your server, it's about securing data en route to your server (e.g. hiding that you're accessing it at all from wherever you are. Maybe you want that, but it's irrelevant to securing your server.
But on the larger topic of diminishing returns, yeah, maybe you don't need it.
However, I would never feel comfortable with just one line of defense, regardless of how good that product is. I trust openSSH, which is why I have it running, but all software has bugs and I want more than domino that needs to fall before I get pwned. If there's a successful attack on openSSH, you can bet the script kiddies will exploit it before you get around to patching your server, especially in a homelab setup.
This setup isn't particularly crazy, and I'd recommend a lot more of someone has special requirements. Setting up WireGuard is like 20 lines of config, it's baked into the kernel (except wg-quick, the frontend), and the project is super stable (no major changes in years). Pretty much everything has great support for it (built-in to Android, Linux DEs, etc), and you really don't need to touch it unless you need to set up a new machine.
But if you don't want a VPN for whatever reason, there are other options for additional security:
- geoip blocking - allow only those regions that you expect to connect from (different rules for each port, so SSH can be special)
- fail2ban - block IPs if they fail to authenticate after a few attempts
But please do more than just securing openSSH, because all software has bugs and an extra layer isn't that much more work.
-
My two cents: Using a nonstandard ssh port is good for dumping bots. True, you can easily do a port scan against a server and easily find all open ports nbd. But most off-the-shelf bots are looking for standard ports to penetrate. I know that when I format and reinstall the test server, as soon as I change the ssh port, bot noise goes down significantly. So, for a simple config edit and about 2 minutes of time, it seems worth the effort. It's just one layer tho. And yes, it goes without saying to pick a port other than 22, 222, 2222, etc.
How about 22222?
-
In addition to what others say, I also have ntfy notifications on successful login.
-
Recently, I discovered that SSH of my VPS server is constantly battered as follows.
Apr 06 11:15:14 abastro-personal-arm sshd[102702]: Unable to negotiate with 218.92.0.201 port 53768: no matching key exchange method found. Their offer: diffie> Apr 06 11:30:29 abastro-personal-arm sshd[102786]: Unable to negotiate with 218.92.0.207 port 18464: no matching key exchange method found. Their offer: diffie> Apr 06 11:45:36 abastro-personal-arm sshd[102881]: Unable to negotiate with 218.92.0.209 port 59634: no matching key exchange method found. Their offer: diffie> Apr 06 12:01:02 abastro-personal-arm sshd[103019]: Unable to negotiate with 218.92.0.203 port 16976: no matching key exchange method found. Their offer: diffie> Apr 06 12:05:49 abastro-personal-arm sshd[103066]: Unable to negotiate with 218.92.0.212 port 49130: no matching key exchange method found. Their offer: diffie> Apr 06 12:07:09 abastro-personal-arm sshd[103077]: Connection closed by 162.142.125.122 port 56110 [preauth] Apr 06 12:12:18 abastro-personal-arm sshd[103154]: Connection closed by 45.79.181.223 port 22064 [preauth] Apr 06 12:12:19 abastro-personal-arm sshd[103156]: Connection closed by 45.79.181.223 port 22078 [preauth] Apr 06 12:12:20 abastro-personal-arm sshd[103158]: Connection closed by 45.79.181.223 port 22112 [preauth] Apr 06 12:21:26 abastro-personal-arm sshd[103253]: Connection closed by 118.25.174.89 port 36334 [preauth] Apr 06 12:23:39 abastro-personal-arm sshd[103282]: Unable to negotiate with 218.92.0.252 port 59622: no matching key exchange method found. Their offer: diffie> Apr 06 12:26:38 abastro-personal-arm sshd[103312]: Connection closed by 92.118.39.73 port 44400 Apr 06 12:32:22 abastro-personal-arm sshd[103373]: Unable to negotiate with 218.92.0.203 port 57092: no matching key exchange method found. Their offer: diffie> Apr 06 12:49:48 abastro-personal-arm sshd[103556]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53675 ssh2 [preauth] Apr 06 12:49:48 abastro-personal-arm sshd[103556]: Disconnecting authenticating user root 98.22.89.155 port 53675: Too many authentication failures [preauth] Apr 06 12:49:51 abastro-personal-arm sshd[103558]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53775 ssh2 [preauth] Apr 06 12:49:51 abastro-personal-arm sshd[103558]: Disconnecting authenticating user root 98.22.89.155 port 53775: Too many authentication failures [preauth] Apr 06 12:49:53 abastro-personal-arm sshd[103561]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53829 ssh2 [preauth] Apr 06 12:49:53 abastro-personal-arm sshd[103561]: Disconnecting authenticating user root 98.22.89.155 port 53829: Too many authentication failures [preauth] Apr 06 12:49:54 abastro-personal-arm sshd[103563]: Connection closed by 98.22.89.155 port 53862 [preauth] Apr 06 12:50:41 abastro-personal-arm sshd[103576]: Invalid user from 75.12.134.50 port 36312 Apr 06 12:54:26 abastro-personal-arm sshd[103621]: Connection closed by 165.140.237.71 port 54236 Apr 06 13:01:26 abastro-personal-arm sshd[103702]: Connection closed by 193.32.162.132 port 33380 Apr 06 13:03:40 abastro-personal-arm sshd[103724]: Unable to negotiate with 218.92.0.204 port 60446: no matching key exchange method found. Their offer: diffie> Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Received disconnect from 165.140.237.71 port 50952:11: [preauth] Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Disconnected from authenticating user root 165.140.237.71 port 50952 [preauth] Apr 06 13:19:08 abastro-personal-arm sshd[103897]: Unable to negotiate with 218.92.0.208 port 59274: no matching key exchange method found. Their offer: diffie> Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Received disconnect from 165.140.237.71 port 50738:11: [preauth] Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Disconnected from authenticating user ubuntu 165.140.237.71 port 50738 [preauth] Apr 06 13:34:50 abastro-personal-arm sshd[104079]: Unable to negotiate with 218.92.0.204 port 44816: no matching key exchange method found. Their offer: diffie> Apr 06 13:50:32 abastro-personal-arm sshd[104249]: Unable to negotiate with 218.92.0.206 port 27286: no matching key exchange method found. Their offer: diffie> Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Received disconnect from 165.140.237.71 port 50528:11: [preauth] Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Disconnected from authenticating user root 165.140.237.71 port 50528 [preauth] Apr 06 14:01:25 abastro-personal-arm sshd[104351]: Invalid user from 65.49.1.29 port 18519 Apr 06 14:01:28 abastro-personal-arm sshd[104351]: Connection closed by invalid user 65.49.1.29 port 18519 [preauth]As you can see, it is happening quite frequently, and I am worried one might break in at some point. Since SSH access guards users with root-access, it can be quite serious once penetrated.
How do I harden against these kind of attacks? Because this is VPS, disabling SSH is a no-go (SSH is my only entry of access). Are there ways to stop some of these attackers?As always, thanks in advance!
Use key based auth only and then run ssh-audit.
-
Move the ssh port to higher ranges, 30-60000. That alone will stop 99% of the attacks
Disable root logins, now usernames must be guessed too which will make success even lower
Then require SSH keys
At that point it's like being in a nuclear fallout nshelter behind a 3 meter thick steel door and you can hear some zombies scratching on the outside... I'm not worried about any of that shit
Changing the port is a total waste of time
Changing the port is just like putting a picture of a window on your door. Harden SSH properly and don't waste time with security via obscurity
-
Configure the firewall with a IP whitelist to only allow connections to ssh be made from your home IP.
Other then that, disable password logon for ssh and setup up key based authentication.
Agreed, but be careful about the whitelist. If your home IP changes, you'll be locked out until you update it, so you should consider an IP range if that's a possibility for you. Likewise, if you'll be accessing it from multiple locations (say, a family member's house), then make sure to add those as well.
-
There is actually an example on their website.
-
Changing the port is a total waste of time
Changing the port is just like putting a picture of a window on your door. Harden SSH properly and don't waste time with security via obscurity
That's not true.
Security through obscurity isn't real security, sure, but it does a lot to reduce the noise in the logs so you can see the more real attacks. Hardening SSH properly is certainly more important, but changing the port also has value.
-
This is what I do. Changing the port to a higher number will prevent almost all bots.
I understand that obscurity is not security but not getting probed is nice.
Also ssh keys are a must.
I do log in as root though.
However, I block all IPs other than mine from connecting to this port in my host's firewall. I only need to log in from home, or my office, and in a crisis I can just log in to OVH and add whitelist my IP.
I do log in as root though.
Don't do that. You're one local piece of malware away from getting your server pwned. Logging in as an unprivileged user at least requires another exploit on the server to get root permissions.
-
How about 22222?
Oh, that one's fine. Everyone knows that 5-digit ports add extra security, which is why WireGuard runs on port 51820 by default. You can verify this by checking the max port number, which is also 5-digits, computers just aren't powerful enough to crack 6-digit port numbers, so Linux hasn't bothered increasing it. /s
-
- harden sshd
- use fail2ban or even better CrowdStrike
- use a tool like the following to have a next-gen security solution: https://github.com/mrash/fwknop
harden sshd
More details:
- require keys to login
- don't allow login as root
That should be plenty, but you could go a bit further and restrict the types of algorithms allowed (e.g. disallow RSA if you're worried about quantum attacks). For this, I recommend a subtractive config (e.g.
HostbasedAcceptedAlgorithms=-rsa-*). This is way over the top since an attacker is unlikely to attack the cipher directly, but it could be part of an attack.
