SSH breaks

Question

SSH breaks

0x-Stealth opened this issue 2 years ago · 10 comments

{{ tools.context.actor }}: {{ tools.context.sha }}
After running this script, you become unable to log into ssh, the port still works but nomatter what you put, it's always a Access Denied error, or max number of retries with always the right password

Answer 1 · 2022-07-05T23:16:37.000Z

VNC works perfect, but SSH just doesn't

Answer 2 · 2022-07-05T23:20:53.000Z

Hi @Stealthr and thanks for reporting this.

Could you please include the sshd log with a failed login attempt?

Answer 3 · 2022-07-05T23:33:28.000Z

What do you mean?

Answer 4 · 2022-07-06T08:04:48.000Z

what is the actual error message? can you paste a log with a failed login attempt?
sudo journalctl -r -u ssh

Answer 5 · 2022-07-09T00:54:05.000Z

I physically cannot connect to the server, unless I remove the UFW rule, then I still really can't connect to it because I can't sign in. I'll send a lon in a sec @konstruktoid

Answer 6 · 2022-07-09T01:16:03.000Z

Jul 09 02:35:37 vmi855967.contaboserver.net sshd[3970]: Connection closed by invalid user support 179.60.147.74 port 30374 [preauth]
Jul 09 02:35:34 vmi855967.contaboserver.net sshd[3970]: Failed password for invalid user support from 179.60.147.74 port 30374 ssh2
Jul 09 02:35:32 vmi855967.contaboserver.net sshd[3970]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=179.60.147.74
Jul 09 02:35:32 vmi855967.contaboserver.net sshd[3970]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:35:32 vmi855967.contaboserver.net sshd[3970]: Invalid user support from 179.60.147.74 port 30374
Jul 09 02:30:53 vmi855967.contaboserver.net sshd[3967]: Connection closed by 106.12.163.64 port 56470 [preauth]
Jul 09 02:27:08 vmi855967.contaboserver.net sshd[3963]: Connection closed by invalid user admin 114.35.118.190 port 50890 [preauth]
Jul 09 02:27:02 vmi855967.contaboserver.net sshd[3963]: Failed password for invalid user admin from 114.35.118.190 port 50890 ssh2
Jul 09 02:27:00 vmi855967.contaboserver.net sshd[3963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.35.118.190
Jul 09 02:27:00 vmi855967.contaboserver.net sshd[3963]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:27:00 vmi855967.contaboserver.net sshd[3963]: Invalid user admin from 114.35.118.190 port 50890
Jul 09 02:24:44 vmi855967.contaboserver.net sshd[3960]: Connection closed by authenticating user root 186.147.160.189 port 52920 [preauth]
Jul 09 02:24:43 vmi855967.contaboserver.net sshd[3960]: Failed password for root from 186.147.160.189 port 52920 ssh2
Jul 09 02:24:41 vmi855967.contaboserver.net sshd[3960]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.147.160.189 user=root
Jul 09 02:19:32 vmi855967.contaboserver.net sshd[3957]: Connection closed by invalid user admin 59.5.105.172 port 56925 [preauth]
Jul 09 02:19:29 vmi855967.contaboserver.net sshd[3957]: Failed password for invalid user admin from 59.5.105.172 port 56925 ssh2
Jul 09 02:19:27 vmi855967.contaboserver.net sshd[3957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.5.105.172
Jul 09 02:19:27 vmi855967.contaboserver.net sshd[3957]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:19:27 vmi855967.contaboserver.net sshd[3957]: Invalid user admin from 59.5.105.172 port 56925
Jul 09 02:19:16 vmi855967.contaboserver.net sshd[3955]: Disconnecting invalid user oracle 210.246.47.176 port 49274: Change of username or service not allowed: (oracle,ssh-connection>
Jul 09 02:19:13 vmi855967.contaboserver.net sshd[3955]: Failed password for invalid user oracle from 210.246.47.176 port 49274 ssh2
Jul 09 02:19:11 vmi855967.contaboserver.net sshd[3955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.246.47.176
Jul 09 02:19:11 vmi855967.contaboserver.net sshd[3955]: pam_unix(sshd:auth): check pass; user unknown
Jul 09 02:19:11 vmi855967.contaboserver.net sshd[3955]: Invalid user oracle from 210.246.47.176 port 49274
Jul 09 02:02:58 vmi855967.contaboserver.net sshd[3938]: Connection closed by invalid user support 179.60.147.74 port 61124 [preauth]

Answer 7 · 2022-07-09T06:13:16.000Z

I assume that's a public server due to all various usernames logging in.

Have you added the user group of the user you're trying to log in with to SSH_GRPS and have you added the IP or IP-range the user is allowed to logged in from to FW_ADMIN?

Answer 8 · 2022-07-09T11:50:50.000Z

it's not even public, just realised people wee prob trying to bruteforce or smth, but it's irrelevant rn, idk what SSH_GRPS or how to add anything to it or what the oher thing is

Answer 9 · 2022-07-09T21:00:59.000Z

If someone or something is able to connect to your server trying to bruteforce and login, then it's most likely public.

The two variables are described in the documentation: https://github.com/konstruktoid/hardening#configuration-options

Answer 10 · 2022-07-14T15:46:48.000Z

Closing since the necessary options are described in the documentation.