this post was submitted on 06 Apr 2025
140 points (98.6% liked)

Selfhosted

45837 readers
381 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
140
How to harden against SSH brute-forcing? (sh.itjust.works)
submitted 1 week ago by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
134 comments fedilink hide all child comments
 

Recently, I discovered that SSH of my VPS server is constantly battered as follows.

Apr 06 11:15:14 abastro-personal-arm sshd[102702]: Unable to negotiate with 218.92.0.201 port 53768: no matching key exchange method found. Their offer: diffie>
Apr 06 11:30:29 abastro-personal-arm sshd[102786]: Unable to negotiate with 218.92.0.207 port 18464: no matching key exchange method found. Their offer: diffie>
Apr 06 11:45:36 abastro-personal-arm sshd[102881]: Unable to negotiate with 218.92.0.209 port 59634: no matching key exchange method found. Their offer: diffie>
Apr 06 12:01:02 abastro-personal-arm sshd[103019]: Unable to negotiate with 218.92.0.203 port 16976: no matching key exchange method found. Their offer: diffie>
Apr 06 12:05:49 abastro-personal-arm sshd[103066]: Unable to negotiate with 218.92.0.212 port 49130: no matching key exchange method found. Their offer: diffie>
Apr 06 12:07:09 abastro-personal-arm sshd[103077]: Connection closed by 162.142.125.122 port 56110 [preauth]
Apr 06 12:12:18 abastro-personal-arm sshd[103154]: Connection closed by 45.79.181.223 port 22064 [preauth]
Apr 06 12:12:19 abastro-personal-arm sshd[103156]: Connection closed by 45.79.181.223 port 22078 [preauth]
Apr 06 12:12:20 abastro-personal-arm sshd[103158]: Connection closed by 45.79.181.223 port 22112 [preauth]
Apr 06 12:21:26 abastro-personal-arm sshd[103253]: Connection closed by 118.25.174.89 port 36334 [preauth]
Apr 06 12:23:39 abastro-personal-arm sshd[103282]: Unable to negotiate with 218.92.0.252 port 59622: no matching key exchange method found. Their offer: diffie>
Apr 06 12:26:38 abastro-personal-arm sshd[103312]: Connection closed by 92.118.39.73 port 44400
Apr 06 12:32:22 abastro-personal-arm sshd[103373]: Unable to negotiate with 218.92.0.203 port 57092: no matching key exchange method found. Their offer: diffie>
Apr 06 12:49:48 abastro-personal-arm sshd[103556]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53675 ssh2 [preauth]
Apr 06 12:49:48 abastro-personal-arm sshd[103556]: Disconnecting authenticating user root 98.22.89.155 port 53675: Too many authentication failures [preauth]
Apr 06 12:49:51 abastro-personal-arm sshd[103558]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53775 ssh2 [preauth]
Apr 06 12:49:51 abastro-personal-arm sshd[103558]: Disconnecting authenticating user root 98.22.89.155 port 53775: Too many authentication failures [preauth]
Apr 06 12:49:53 abastro-personal-arm sshd[103561]: error: maximum authentication attempts exceeded for root from 98.22.89.155 port 53829 ssh2 [preauth]
Apr 06 12:49:53 abastro-personal-arm sshd[103561]: Disconnecting authenticating user root 98.22.89.155 port 53829: Too many authentication failures [preauth]
Apr 06 12:49:54 abastro-personal-arm sshd[103563]: Connection closed by 98.22.89.155 port 53862 [preauth]
Apr 06 12:50:41 abastro-personal-arm sshd[103576]: Invalid user  from 75.12.134.50 port 36312
Apr 06 12:54:26 abastro-personal-arm sshd[103621]: Connection closed by 165.140.237.71 port 54236
Apr 06 13:01:26 abastro-personal-arm sshd[103702]: Connection closed by 193.32.162.132 port 33380
Apr 06 13:03:40 abastro-personal-arm sshd[103724]: Unable to negotiate with 218.92.0.204 port 60446: no matching key exchange method found. Their offer: diffie>
Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Received disconnect from 165.140.237.71 port 50952:11:  [preauth]
Apr 06 13:11:49 abastro-personal-arm sshd[103815]: Disconnected from authenticating user root 165.140.237.71 port 50952 [preauth]
Apr 06 13:19:08 abastro-personal-arm sshd[103897]: Unable to negotiate with 218.92.0.208 port 59274: no matching key exchange method found. Their offer: diffie>
Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Received disconnect from 165.140.237.71 port 50738:11:  [preauth]
Apr 06 13:33:36 abastro-personal-arm sshd[104066]: Disconnected from authenticating user ubuntu 165.140.237.71 port 50738 [preauth]
Apr 06 13:34:50 abastro-personal-arm sshd[104079]: Unable to negotiate with 218.92.0.204 port 44816: no matching key exchange method found. Their offer: diffie>
Apr 06 13:50:32 abastro-personal-arm sshd[104249]: Unable to negotiate with 218.92.0.206 port 27286: no matching key exchange method found. Their offer: diffie>
Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Received disconnect from 165.140.237.71 port 50528:11:  [preauth]
Apr 06 13:51:58 abastro-personal-arm sshd[104261]: Disconnected from authenticating user root 165.140.237.71 port 50528 [preauth]
Apr 06 14:01:25 abastro-personal-arm sshd[104351]: Invalid user  from 65.49.1.29 port 18519
Apr 06 14:01:28 abastro-personal-arm sshd[104351]: Connection closed by invalid user  65.49.1.29 port 18519 [preauth]

As you can see, it is happening quite frequently, and I am worried one might break in at some point. Since SSH access guards users with root-access, it can be quite serious once penetrated. How do I harden against these kind of attacks? Because this is VPS, disabling SSH is a no-go (SSH is my only entry of access). Are there ways to stop some of these attackers?

As always, thanks in advance!

top 50 comments
sorted by: hot top controversial new old
[–] CondorWonder@lemmy.ca 71 points 1 week ago (3 children)

We can’t ever stop this kind of stuff, but with something like fail2ban you can set it up to block on too many failures.

Really though - ensuring your system is kept up to date and uses strong passwords or use a SSH keys is the best defence. Blocking doesn’t prevent them from trying a few times. Moving SSH to a non standard port will stop most of the automated attacks but it won’t stop someone who is dedicated.

[–] 30p87@feddit.org 26 points 1 week ago (3 children)

Move SSH to non-standard port, make endlessh use the default port. Only use SSH keys. Only allow correct users (so eg. your user and git/forgejo). Use fail2ban to aggressively ban (redirect to default port, so 22) and report to abuseipdb everything that fails to authenticate first try (wrong user, password instead of key), has non-compatible ciphers (generally, only allow TLS1.3 etc.), or fails in any other way. Just be sure that if you accidentally get banned yourself (eg. Ctrl+C-ing during authentication), you can use another IP (eg. force v4) for connecting.

[–] cron@feddit.org 9 points 1 week ago (1 children)

Nice list of suggestions, but implementing all of them feels a little over-the-top.

[–] 30p87@feddit.org 9 points 1 week ago

Tbh, I myself still have SSH on port 22. Firstly, because I'm lazy, and secondly ... yeah that's it. I'm honestly just lazy. But spam bots trying office/cookie123 are not a real threat, and anyone trying to actually target me will either have somehow acquired my key + password, use one of the probably many security issues that exist in the dozen services I selfhost, social engineer me into doing something (not saying I've given out my (old) KeePass password once, but it could be, as love makes blind (I still love her)), or just smash my kneecaps until I give out everything.

load more comments (2 replies)
load more comments (2 replies)
[–] Xanza@lemm.ee 57 points 1 week ago (2 children)
  1. Disable passwordless login.
  2. Disable password login.
  3. Require SSH keys
  4. Move SSH port to non-standard port
  5. Reject connections to port 22
  6. Install and enable fail2ban

About the best you can do.

[–] semperverus@lemmy.world 11 points 1 week ago (5 children)

Don't reject connections to port 22, honeypot it and ban on connection attempt.

[–] downhomechunk@midwest.social 5 points 1 week ago

I'd get myself banned this way. I forget the -p flag at least once per week.

load more comments (4 replies)
[–] markstos@lemmy.world 7 points 1 week ago (6 children)

Using a nonstandard port doesn’t get you much, especially popular nonstandard ports like 2222.

I used that port once and just as much junk traffic and ultimately regretted bothering.

[–] Xanza@lemm.ee 0 points 5 days ago (1 children)

Using a nonstandard port doesn’t get you much

Uhh... It gets you a lot. Specifically, unless you know the port you can't connect... So hey, there's that..

This community really says shit sometimes that makes me go cross-eyed....

[–] markstos@lemmy.world 0 points 5 days ago* (last edited 5 days ago) (1 children)

The top-rated answer to this question on the Security StackExhange is “not really”. https://security.stackexchange.com/questions/189726/does-it-improve-security-to-use-obscure-port-numbers

On Serverfault, the top answer is that random SSH ports provide “no serious defense” https://serverfault.com/questions/316516/does-changing-default-port-number-actually-increase-security

Or the answer here, highlighting that scanners check a whole range ports and all the pitfalls of changing the port. Concluding: “Often times it is simply easier to just configure your firewall to only allow access to 22 from specific hosts, as opposed to the whole Internet.” https://security.stackexchange.com/questions/32308/should-i-change-the-default-ssh-port-on-linux-servers

[–] Xanza@lemm.ee 1 points 5 days ago (1 children)

And I'm a CEHv7. A literal security professional--and I say that an overwhelming vast majority of attacks against servers using SSH are going to come over the default port. Quite literally 99%. This means that you can lower your attack surface by exactly 99% by simply changing the default SSH port...

Those posts provide no meaningful insight and what they say is by the very technical of all interpretations is correct, I absolutely disagree with these statements. What they mean to say is that simply changing the default SSH port isn't alone I means of strictly protecting yourself. Meaning you shouldn't change the default SSH port and think that your server is secured because it's not.

Quite the different interpretation than me saying it should be mandatorily a part of your security strategy.

In protecting yourself against port scanning is trivial.

Anyone underestimating the power of changing The default SSH port is someone who's opinion I can safely disregard.

[–] markstos@lemmy.world 1 points 4 days ago (1 children)

Do you have a source to cite for the literal 99%?

[–] Xanza@lemm.ee 1 points 4 days ago

Reasoning skills and experience. There are entire botnets dedicated to finding servers with open SSH ports on 22. If the bots can connect, the IP of the server will be added to a list to be brute forced.

I'm a per diem linux systems administrator. Right now I have a VPS that I setup myself. It uses a non-standard ssh port, fail2ban, and rejects incoming connections to port 22. According to connection logs, I get about 200 attempts per 24 hours from bots randomly pinging ports to see if they can catch an open SSH port--and they're banned via fail2ban.

I checked out some other servers that I manage, which I did not setup and have no control over how they operate. Sifting through just 3 random servers and checking connection logs, they have a combined 435,000 connection attempts in the past 6 hours between the 3 of them. These are relatively small servers with an extremely small presence. Simple fact of the matter is, is that they all have port 22 open and reachable. So botnets attempt to brute force them.

So just anecdotally that's a difference of 0.0459770115% or 99.96%. Anyone telling you that changing the default SSH port doesn't do anything for security has absolutely no practical experience at all. It significantly reduces your attack surface as bots have to guess at ports until they find your SSHd's operational port to even begin to start sending attempts.

[–] friend_of_satan@lemmy.world 18 points 1 week ago

My experience running several ssh servers on uncommon nonstandard ports for over 10 years has been that it has eliminated all ssh brute forcing. I don't even bother with fail2ban. I probably should though, just in case.

Also, PSA: if you use fail2ban, don't try tab completing rsync commands without using controlmaster or you will lock yourself out.

load more comments (4 replies)
[–] phoenixz@lemmy.ca 41 points 1 week ago (7 children)

Move the ssh port to higher ranges, 30-60000. That alone will stop 99% of the attacks

Disable root logins, now usernames must be guessed too which will make success even lower

Then require SSH keys

At that point it's like being in a nuclear fallout nshelter behind a 3 meter thick steel door and you can hear some zombies scratching on the outside... I'm not worried about any of that shit

[–] joshcodes@programming.dev 13 points 1 week ago (1 children)

For added funs run an SSH tarpit to fuck with the attackers, something like endlessh.

[–] phoenixz@lemmy.ca 9 points 1 week ago (1 children)

Well yeah, sure, but that doesn't really add to your security and it only costs you work and resources

load more comments (1 replies)
[–] StructureOfChaos@lemmynsfw.com 5 points 1 week ago (4 children)

Regarding SSH Keys, I was wondering how you keep your key safe and potentially usable from another client?

[–] callcc@lemmy.world 6 points 1 week ago (1 children)

Be sure to use a passphrase

[–] StructureOfChaos@lemmynsfw.com 1 points 6 days ago

Or very strong password

load more comments (3 replies)
load more comments (5 replies)
[–] BrianTheeBiscuiteer@lemmy.world 33 points 1 week ago (2 children)

In addition to other advice you could also use SSH over Wireguard. Wireguard basically makes the open port invisible. If you don't provide the proper key upfront you get no response. To an attacker the port might as well be closed.

Here's at least one article on the subject: https://rair.dev/wireguard-ssh/

load more comments (2 replies)
[–] gerowen@lemmy.world 30 points 1 week ago* (last edited 1 week ago) (1 children)

I generally do a few things to protect SSH:

  1. Disable password login and use keys only
  2. Install and configure Fail2Ban
  3. Disable root login via ssh altogether. Just change "permit root login" from "no password" to just "no". You can still become root via sudo or su after you're connected, but that would trigger an additional password request. I always connect as a normal user and then use sudo if/when I need it. I don't include NOPASSWD in my sudoers to make certain sudo prompts for a password. Doesn't do any good to force normal user login if sudo doesn't require a password.
  4. If connecting via the same network or IPs, restrict the SSH open port to only the IPs you trust.
  5. I don't have SSH internet visible. I have my own Wireguard server running on a separate raspberry pi and use that to access SSH when I'm away, but SSH itself is not open to the internet or forwarded in the router.
load more comments (1 replies)
[–] Dima@feddit.uk 28 points 1 week ago* (last edited 1 week ago) (3 children)

For security disable password authentication - use public key instead, disable root login via ssh - use sudo or su from another user.

To reduce the number of attempts of others trying to get in change the ssh port and/or set-up fail2ban.

You could also set a firewall rule to only allow ssh from your IP address, if you have a static address at home and only need access from there, or have a way to VPN into your home network. Make sure you have a static address if you do this though, you don't want your IP to change and be left locked out of your server.

load more comments (3 replies)
[–] RonnyZittledong@lemmy.world 24 points 1 week ago (1 children)

Disable passwords and use public private keys and don't worry about it

[–] JubilantJaguar@lemmy.world 9 points 1 week ago (1 children)

This is the only answer you need to read. It's a non-problem if you just do this, and there's no reason not to do it.

load more comments (1 replies)
[–] irmadlad@lemmy.world 20 points 1 week ago* (last edited 1 week ago) (4 children)

OP, here is what I do. It might seem overboard, and my way doesn't make it the best, or the most right, but it seems to work for me:

  • Fail2ban
  • UFW
  • Reverse Proxy
  • IPtraf (monitor)
  • Lynis (Audit)
  • OpenVas (Audit)
  • Nessus (Audit)
  • Non standard SSH port
  • CrowdSec + Appsec
  • No root logins
  • SSH keys
  • Tailscale
  • RKHunter

The auditing packages, like Lynis, will scour your server, and make suggestions as to how to further harden your server. Crowdsec is very handy in that it covers a lot of 'stuff'. It's not the only WAF around. There is Wazuh, Bunkerweb, etc. Lots of other great comments here with great suggestions. I tend to go overboard on security because I do not like mopping up the mess after a breach.

ETA: just looked up one of your attackers:

218.92.0.201 was found in our database! This IP was reported 64,044 times. Confidence of Abuse is 100%: ISP CHINANET jiangsu province network Usage Type Fixed Line ISP ASN AS4134 Domain Name chinatelecom.cn Country China City Shanghai, Shanghai

busy little cunts.

[–] db0@lemmy.dbzer0.com 6 points 1 week ago

No Port-knocking? Amateurs! /s

load more comments (3 replies)
[–] zr0@lemmy.dbzer0.com 20 points 1 week ago* (last edited 1 week ago) (4 children)
[–] om1k@sopuli.xyz 13 points 1 week ago (2 children)

did you mean crowdsec instead of crowdstrike?

load more comments (2 replies)
load more comments (3 replies)
[–] bizdelnick@lemmy.ml 19 points 1 week ago

The best way is to disable password login and use SSH keys only. Any further steps are not required, but you may additionally install fail2ban or sshguard.

[–] possiblylinux127@lemmy.zip 18 points 1 week ago

Use key based auth only and then run ssh-audit.

[–] kylian0087@lemmy.dbzer0.com 18 points 1 week ago (1 children)

Configure the firewall with a IP whitelist to only allow connections to ssh be made from your home IP.

Other then that, disable password logon for ssh and setup up key based authentication.

[–] sugar_in_your_tea@sh.itjust.works 6 points 1 week ago

Agreed, but be careful about the whitelist. If your home IP changes, you'll be locked out until you update it, so you should consider an IP range if that's a possibility for you. Likewise, if you'll be accessing it from multiple locations (say, a family member's house), then make sure to add those as well.

[–] Arghblarg@lemmy.ca 16 points 1 week ago

There's a dedicated tool named sshguard which works nicely.

[–] Waryle@jlai.lu 13 points 1 week ago* (last edited 1 week ago) (3 children)

You can look up for:

  • Setting up max authentication attemps per connection -> slows up a lot brute force attacks. If your password is strong enough, that's already a big step to secure your server.
  • Generate SSH Keys and disable password authentication -> do this only if you're connecting through the same devices, because you won't be able to connect from any device that has not being set up. Personally I don't use this because I want to be able to access my server even if I'm not home and without my laptop
  • Set up Crowdsec -> it's a local service which scans logs and will block access to any suspicious IPs. It also relies on a crowdsourced list of IPs that are identified as threat and will preventively block them
load more comments (3 replies)
[–] tomsh@lemmy.world 13 points 1 week ago (2 children)

In addition to what others say, I also have ntfy notifications on successful login.

load more comments (2 replies)
[–] Realitaetsverlust@lemmy.zip 13 points 1 week ago (1 children)

You don't. This is normal. Ensure key-only auth, ensure you do not login directly as root, maybe install fail2ban and you're good. Some people move the port to a nonstandard one, but that only helps with automated scanners not determined attackers.

You could look into port-knocking if you want it really safe.

load more comments (1 replies)
[–] troed@fedia.io 8 points 1 week ago (4 children)

A few replies here give the correct advice. Others are just way off.

To those of you who wrote anything else than "disable passwords, use key based login only and you're good" - please spend more time learning the subject before offering up advice to others.

(fail2ban is nice to run in addition, I do so myself, but it's more for to stop wasting resources than having to do with security since no one is bruteforcing keys)

[–] nekusoul@lemmy.nekusoul.de 6 points 1 week ago (1 children)

Eh, while I agree that some recommendations are dodgy at best, I'll argue that Wireguard is not only adding to security, it also makes Fail2Ban obsolete. Due to the way it works, you'll completely hide the fact that you're even running a SSH server at all, and this includes even Wireguard itself. More importantly though, it's pretty much impossible to set up Wireguard in an insecure way, whereas SSH provides you with plenty of footguns. You're not risking locking yourself out either.

Also, security comes in layers.

load more comments (1 replies)
load more comments (3 replies)
[–] EarMaster@lemmy.world 8 points 1 week ago* (last edited 1 week ago)

For a general guide on how to make ssh more secure I stick to https://www.sshaudit.com/

You can check your config and they also provide step by step guides for several distros...

[–] hemmes@lemmy.world 7 points 1 week ago (18 children)

What VPS are you using?

You should be able to setup a firewall, blocking all access to the SSH port. Then setup a VPN so that only you can access via SSH after making your VPN connection.

If you connect via a static IP, you can also create an ACL for the VPN connection just in case. You can set an ACL for the SSH port forward rule directly as well, but I don’t like that personally. I prefer keeping things behind the VPN.

load more comments (18 replies)
[–] plz1@lemmy.world 6 points 1 week ago

Does SSH have to be your only way? Could you deploy something like Tailscale? Can you restrict the allowed IP ranges on SSH with a firewall rule?

[–] lefixxx@lemmy.world 6 points 1 week ago

Change the port.

[–] cecilkorik@lemmy.ca 5 points 1 week ago (2 children)

fail2ban is mandatory equipment for any ssh server accessible to the public especially on its default port. It's highly configurable, but the default settings will do fine at making it statistically impossible for any user or password to be brute forced.

load more comments (2 replies)
load more comments
view more: next ›