I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log
. Instead, it shows up as failed password entry. Is this intended?
What I’ve done is to uncomment the PermitRootLogin no
line in /etc/ssh/sshd_config
. Rest of the config file is left at default.
Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?
Yes that’s the right way to block root login. An added filter you can use the ‘match’ config expression to filter logins even further.
If you’re on the open network, your connection will be heavily hit with login attempts. That is normal. But using another service like Fail2Ban will stop repeated hits to your host.
Ssh listens on port 22, as soon as a connection is made the host moves the connection to another port to free up 22 for other new connections.Btw: I wasn’t thinking clearly here. Out going connections won’t be using port 22, but the listening incoming port is always 22.There’s no limit on the number of concurrent connections on a single port, and SSH runs completely on the one port it is configured to use. Otherwise allowing just the port 22 in firewall wouldn’t be enough to have a functional SSH connection with default settings.
You can verify that quite easily for example by spinning up three barebone Debian VMs connected to a single virtual network, configuring the firewall on the “server” VM to drop everything other than port 22 and then connecting from both client VMs - it will work just fine.
Maybe you’re confusing it with the fact that only one process can listen on a given port at a time? But that’s only for establishing new connections. Existing connections can be passed off to another running process or a child process just fine, and that’s how SSH handles separation between connections.
Ah, I see, so the port numbers shown in
auth.log
are all client side ports. I guess I thought that the listening port would be in the log and assumed that the port listed there would be it, but when I read the lines again, it clearly says “from ip.ad.dr.ess port 12345”Not sure what you meant about the ‘match’ config expressions here. Could you elaborate a bit further?
Hehe, yeah, I’ve noticed… The reason I get a little anxious whether I did this correctly, is that 95% of the login attempts are to root, so I want to make sure it is disabled. I have set up Fail2Ban, but I am using default settings, which may be a bit laxer than they need?
I’ve also been advised and considered moving to ssh keys, but I have not gotten to that yet.
Makes sense. One question that comes from this is: is it possible to disable that? I would never need two ssh-logins at the same time on my server. And the second question is what I asked above regarding whether I should change the port ssh listens to in order to reduce unwanted malicious login attempts?
No, it’s nonsense. Nothing like that happens.
Match blocks allow you to restrict who/what is allowed or not allowed to connect to the server. There is a large number of options to utilize. Put this near the bottom of sshd_config. There should be an example there.
Here are some more examples: https://stackoverflow.com/questions/10829712/sshd-with-multiple-match-sections-override-settings
Thanks - I’ll look more into that to see if I can make any rules that would make sense for my use case.
These days I don’t even bother installing fail2ban or changing ssh port anymore. I’ll just disable root and password login and be done with it.