Root being locked when SSH on and open to internet

skysurf76

Dabbler
Joined
Oct 25, 2011
Messages
36
I got tired of using sneakernet with flash drives with a buddy at work, so I made him an account on my Freenas, and opened SSH on the firewall to the Freenas. Everything worked great until the next time I went to log onto the Freenas webgui. Naturally the root account was locked out due to the FOUR BAJILLION root login attempts. Went to keyboard at the Freenas and reset password, so no biggy.

I'm not really worried about security as we are using like 40 characters for all the passwords and Freenas is Freebsd. If they get into my box, they earned it. I'm just wondering the path of least resistance to allow SSH through the firewall to the Freenas so my buddy can log onto his account and get the files I leave for him in his home directory without the root account getting locked out by failed root login attempts. I looked into making a new account for the webgui but quickly found out its root or nothing for it.
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
248
Change the ssh port to something else. Thats what i did.
 

skysurf76

Dabbler
Joined
Oct 25, 2011
Messages
36
Change the ssh port to something else. Thats what i did.
You Sir are potentially a genius. Next question is if I put it on some wacky port will the scanner bots still be able to determine its SSH? I would assume they of course hit 22 first, but there have to be some out there that send out SSH packets to all ports and see if they get the expected response. Your idea is a great one and its probably what I'll go with. I was hoping maybe there was some way to just default block all SSH logins other than my buddies. The problem is root ssh login is blocked, but it Freenas still locks out the account after so many login attempts. I was actually thinking of reporting it as a bug. If root ssh login isn't even allowed why are they locking out the account for failed attempts?
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
248
Because if your using key factor authentication, which you should be, they automatically get denied without having the key. So Freenas just locks them out. Still, it slows your internet connection being attacked with bots. I use port 33, once in a while, i will get a spam bot trying to log in. I see it, and change the port to 35 or something. This rarely happens though. I generally never have to change it from 33. I have used other ports though, when i have had to change it.
 

blanchet

Guru
Joined
Apr 17, 2018
Messages
515
A more complicated setup, but more elegant: a virtual machine and fail2ban
(you cannot use a jail because fail2ban needs to manage the firewall rules)

Fail2bans supports Linux and FreeBSD.
Fail2ban can protect many services: SSH, HTTP, and many webapps.
 
Top