Many attempts to login with key?

[Glorious1]

Just today I set up a dynamic DNS domain at DuckDNS, forwarded my port 22 from router, and set up SSH for public key authentication (disabling password login). I thought I would check in /var/log/auth.log to see if I'm starting to get breakin attempts with the port open.

I was surprised to find someone or something had been trying to get in all along, or were getting in, I'm not sure. This is typical of what was very abundant in the log:

Code:

Jan 16 08:45:32 Tabernacle sshd[47276]: Accepted publickey for root from 127.0.0.1 port 17378 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:32 Tabernacle sshd[47276]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:32 Tabernacle sshd[47288]: Accepted publickey for root from 127.0.0.1 port 58125 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:33 Tabernacle sshd[47288]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:33 Tabernacle sshd[47294]: Accepted publickey for root from 127.0.0.1 port 17207 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:33 Tabernacle sshd[47294]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:33 Tabernacle sshd[47303]: Accepted publickey for root from 127.0.0.1 port 37246 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:33 Tabernacle sshd[47303]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:34 Tabernacle sshd[47320]: Accepted publickey for root from 127.0.0.1 port 27105 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:34 Tabernacle sshd[47320]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:34 Tabernacle sshd[47332]: Accepted publickey for root from 127.0.0.1 port 22497 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:34 Tabernacle sshd[47332]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:35 Tabernacle sshd[47338]: Accepted publickey for root from 127.0.0.1 port 27518 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:35 Tabernacle sshd[47338]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:35 Tabernacle sshd[47347]: Accepted publickey for root from 127.0.0.1 port 32399 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:35 Tabernacle sshd[47347]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:36 Tabernacle sshd[47364]: Accepted publickey for root from 127.0.0.1 port 29101 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:36 Tabernacle sshd[47364]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:36 Tabernacle sshd[47376]: Accepted publickey for root from 127.0.0.1 port 10225 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:39 Tabernacle sshd[47376]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:39 Tabernacle sshd[47382]: Accepted publickey for root from 127.0.0.1 port 52747 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:39 Tabernacle sshd[47382]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:39 Tabernacle sshd[47391]: Accepted publickey for root from 127.0.0.1 port 33707 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:39 Tabernacle sshd[47391]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:40 Tabernacle sshd[47408]: Accepted publickey for root from 127.0.0.1 port 33739 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:40 Tabernacle sshd[47408]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:40 Tabernacle sshd[47420]: Accepted publickey for root from 127.0.0.1 port 30387 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:40 Tabernacle sshd[47420]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:41 Tabernacle sshd[47426]: Accepted publickey for root from 127.0.0.1 port 38860 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:41 Tabernacle sshd[47426]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:41 Tabernacle sshd[47435]: Accepted publickey for root from 127.0.0.1 port 43950 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:41 Tabernacle sshd[47435]: Received disconnect from 127.0.0.1: 11: disconnected by user

It looks like they are repeatedly trying various ports? And what the heck is 127.0.0.1? Certainly unlike any local IP I have. And I have root login via SSH disabled, so I don't see how this could even be happening. I would really appreciate if someone could interpret this for me. It doesn't seem like the common kind of attempts I've read about.

Update: Duh, OK, I see that IP represents this machine, so apparently it is some process trying to get root status? I recently changed the root (webGUI) password to something tougher, so is there some way to tell the rest of the computer that? Or what's going on?

 

[DrKK]

Just today I set up a dynamic DNS domain at DuckDNS, forwarded my port 22 from router, and set up SSH for public key authentication (disabling password login). I thought I would check in /var/log/auth.log to see if I'm starting to get breakin attempts with the port open.

I was surprised to find someone or something had been trying to get in all along, or were getting in, I'm not sure. This is typical of what was very abundant in the log:

Code:

Jan 16 08:45:32 Tabernacle sshd[47276]: Accepted publickey for root from 127.0.0.1 port 17378 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:32 Tabernacle sshd[47276]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:32 Tabernacle sshd[47288]: Accepted publickey for root from 127.0.0.1 port 58125 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:33 Tabernacle sshd[47288]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:33 Tabernacle sshd[47294]: Accepted publickey for root from 127.0.0.1 port 17207 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:33 Tabernacle sshd[47294]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:33 Tabernacle sshd[47303]: Accepted publickey for root from 127.0.0.1 port 37246 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:33 Tabernacle sshd[47303]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:34 Tabernacle sshd[47320]: Accepted publickey for root from 127.0.0.1 port 27105 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:34 Tabernacle sshd[47320]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:34 Tabernacle sshd[47332]: Accepted publickey for root from 127.0.0.1 port 22497 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:34 Tabernacle sshd[47332]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:35 Tabernacle sshd[47338]: Accepted publickey for root from 127.0.0.1 port 27518 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:35 Tabernacle sshd[47338]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:35 Tabernacle sshd[47347]: Accepted publickey for root from 127.0.0.1 port 32399 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:35 Tabernacle sshd[47347]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:36 Tabernacle sshd[47364]: Accepted publickey for root from 127.0.0.1 port 29101 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:36 Tabernacle sshd[47364]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:36 Tabernacle sshd[47376]: Accepted publickey for root from 127.0.0.1 port 10225 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:39 Tabernacle sshd[47376]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:39 Tabernacle sshd[47382]: Accepted publickey for root from 127.0.0.1 port 52747 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:39 Tabernacle sshd[47382]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:39 Tabernacle sshd[47391]: Accepted publickey for root from 127.0.0.1 port 33707 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:39 Tabernacle sshd[47391]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:40 Tabernacle sshd[47408]: Accepted publickey for root from 127.0.0.1 port 33739 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:40 Tabernacle sshd[47408]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:40 Tabernacle sshd[47420]: Accepted publickey for root from 127.0.0.1 port 30387 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:40 Tabernacle sshd[47420]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:41 Tabernacle sshd[47426]: Accepted publickey for root from 127.0.0.1 port 38860 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:41 Tabernacle sshd[47426]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 16 08:45:41 Tabernacle sshd[47435]: Accepted publickey for root from 127.0.0.1 port 43950 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c
Jan 16 08:45:41 Tabernacle sshd[47435]: Received disconnect from 127.0.0.1: 11: disconnected by user

It looks like they are repeatedly trying various ports? And what the heck is 127.0.0.1? Certainly unlike any local IP I have. And I have root login via SSH disabled, so I don't see how this could even be happening. I would really appreciate if someone could interpret this for me. It doesn't seem like the common kind of attempts I've read about.

Update: Duh, OK, I see that IP represents this machine, so apparently it is some process trying to get root status? I recently changed the root (webGUI) password to something tougher, so is there some way to tell the rest of the computer that? Or what's going on?

Sir. Put the FreeNAS down before someone gets hurt!!!!

 

[RussianMafia]

Comrade,

All is okay. I was just verifying that your server is nice and secure. Your server is plenty secure and your password definitely meets our standards. Is no problem at all to leave this port open all of the time. Do not mind us when we test your system for security. We will let you know if your security is not up to, eh, how you say, high Russian standards?

Like I told our other comrade last year, do not believe these selfish capitalists and keep the ports closed. Information wants to be free, da?

As a free service if you'd like to post your password we can check your other services and make sure all is good.

Spasibo.

 

[Glorious1]

Everybody's a comedian

I figured out those log entries are probably from replication tasks, based on the time when they occur.

After opening that SSH port, I got frequent REAL probing in auth.log. I changed the SSH port to something else, and they stopped cold. Anyway with key authentication I guess they wouldn't have much chance.

 

[cyberjock]

I'm sure you knew you were just asking for it.

But look at the bright side.. if we didn't love you we wouldn't have joked with you and would have said something like "are you stupid!?

 

[cyberjock]

Oh, just some info.. if you require key authentication that pretty much makes it impossible to get in. Changing the port definitely cleans up the logs of login attempts (but IMO doesn't drastically improve security). But lets face it, from a security side-of-things the authentication key is all you really need. Well, that and an OpenSSL that isn't a total POS like it seems to be. :P

 

[Glorious1]

Well cj, I'm just learning here. ;) Aren't there ways of securely accessing a server over the internet by SSH, HTTPS, etc.? I thought using encrypted key authentication was pretty good for SSH? OK, just saw your second post which seems to confirm that.

 

[SweetAndLow]

I think a VPN with certificates is probably the most secure option and provides the most flexibility. The thing with opening FreeNAS to the world is that updates can be slow. So zero day exploits can take weeks to get patched. Maybe running a easy to update server on your network that gets forwarded the port is a better way to go about thing? Then you can ssh into your FreeNAS box from there.

 

[anodos]

Oh, just some info.. if you require key authentication that pretty much makes it impossible to get in. Changing the port definitely cleans up the logs of login attempts (but IMO doesn't drastically improve security). But lets face it, from a security side-of-things the authentication key is all you really need. Well, that and an OpenSSL that isn't a total POS like it seems to be. :p

OpenSSL != OpenSSH. :p

Flame on!

BTW, nist recommendations are here.

Because we all trust NIST and because there is zero chance of the organization being subverted for nefarious purposes.

 

[Glorious1]

Well, now that I've got SSH all secured, it seems the replication tasks can't use it:

The replication failed for the local ZFS Ark/Attic because the command:
/usr/bin/ssh -i /data/ssh/replication -o BatchMode=yes -o StrictHostKeyChecking=yes -o ConnectTimeout=7
have returned an error code of 255

I found a place to put in a private key in the Advanced SSH settings, in "PEM format", whatever that is. But my key is encrypted so I assume that won't work? Does that mean you have to use an unencrypted key?

 

[Glorious1]

I've done all the key copying and pasting I can think of. I wonder if I've run into this bug?
https://bugs.pcbsd.org/issues/6674

 

[saurav]

Does that mean you have to use an unencrypted key?

I think so. Otherwise, how are you going to provide a passphrase for the key when the replication task runs?

Even though that key is not encrypted, its readable by root only (the default replication user). It that is not the case, or if something unwanted is running as root, then you have bigger problems.

For more security on the side of replication target, you can add these two options to the ssh user's authorized_keys file on the replication target:

from="IP-address-of-replication-source"
no-pty

That will ensure that nobody other than the replication source will be able to use that keypair (assuming it has a fixed IP), and that it won't get an interactive shell on the replication target.

You can do this in the gui by editing the SSH Public Key of the replication user (root, by default) on the replication target. That field ought to be called "authorized_keys entries" IMHO...

 

[Glorious1]

OK, finally figured it out - it was the SSH port change. I didn't realize when you change the SSH port, you have to set the port for the replication tasks coming into that machine (actually this is replicating internally to localhost).

If I make that change, saurav, it won't affect the ability to SSH into the server from another computer? I guess not, since it is a different key pair I use for that.

 

[joeschmuck]

Comrade,

All is okay. I was just verifying that your server is nice and secure. Your server is plenty secure and your password definitely meets our standards. Is no problem at all to leave this port open all of the time. Do not mind us when we test your system for security. We will let you know if your security is not up to, eh, how you say, high Russian standards?

Like I told our other comrade last year, do not believe these selfish capitalists and keep the ports closed. Information wants to be free, da?

As a free service if you'd like to post your password we can check your other services and make sure all is good.

Spasibo.

Hilarious !

 

[saurav]

If I make that change, saurav, it won't affect the ability to SSH into the server from another computer? I guess not, since it is a different key pair I use for that.

That's right, it would affect only the keypair against which you add those settings in authorized_keys. This is only if you are worried about the private key used for replication somehow getting compromised (since you were trying to use an encrypted one).

 

[cyberjock]

OpenSSL != OpenSSH. :p

Flame on!

Suck it! Ok, ok.

You are right. I wrote it and I wasn't sure. Asked someone and they thought the same as me. So I hit submit. Guess I was wrong. I'm sure it won't be the last time either.

 

[Glorious1]

So I made some progress. For all means of access, I'm forwarding oddball ports from the router, the router has port scanning blocked, and I'm using pretty secure passwords.

For SSH, I've got that public/private key thing going. That seems pretty secure. Password authentication and root login are disabled.

For the WebGUI, IPMI web access, and WebDAV, I'm using only HTTPS with certificates. And for WebDAV Digest Authentication, whatever that is. This seems somewhat less secure than the SSH, because the client trying to get in needs no private key. But at least its encrypted, and with strong passwords should be OK?

I hope I don't get any contacts from the RussianMafia. They sound pretty scary. How do I tell if I'm already mining bitcoins? ;)

 

[saurav]

For the WebGUI, IPMI web access, and WebDAV, I'm using only HTTPS with certificates.

Did you open ports on your router for all these separately? I suggest you don't do that.

If you have ssh access to the box, you don't need to open any other ports. Just run ssh with the "-D <port>" option and configure your browser to use the localhost:<port> SOCKS proxy. All your traffic will be tunnelled via ssh.

For anything that can't go via SOCKS proxy, consider the -L option of ssh.

 

[Glorious1]

Wow, this is new stuff. So you first start an ssh session with the -D, then go into your browser (Firefox) and do the localhost thing, and the browser hooks into the ssh session?

But I don't see how to access a specific service, since the router is no longer routing it appropriately based on ports. For example, if I currently access SSH this way:
ssh -p 9999 me@servername.duckdns.org

and I access IPMI in Firefox with:
https://servername.duckdns.org:9998
(which the router forwards to the local IPMI IP address, different from the server's SSH local IP address),
how would I do that with tunneling?

 

[Glorious1]

Nevermind, I figured it out. Once the tunnel is set up and Firefox configured, it is just like your browser is on the local network with your server. You just enter the local IP etc as you would at home. That is some crazy stuff, thanks!