Hallo.
Vor wenigen Wochen habe ich hier im Forum gefragt, wie man eine SSH-Verbindung mit 2FA absichert, habe dann jedoch relativ schnell erkannt, dass das gar nicht nötig ist bzw. keine Vorteile mit sich bringt.
Aus diesem Grund habe ich derzeit ein folgendes Konstrukt laufen:
Formatierter TextUbuntu 24.04 mit SSH
Zugriff über PublicKey-Verfahren (wollte der Hoster schon so, dort musste man bereits bei der Neuinstallation den PublicKey angeben)
Auf den Server können derzeit nur zwei PCs mit Public-Key-Verfahren zugreifen
SSHD.config wurde um DenyUsers root und DenyGroups root ergänzt, damit sich root genrell nicht anmelden kann
SSH-Port wurde auf einen anderen umgeleitet
Der Server läuft so seit Freitag und heute habe ich das erste mal in die auth.log geschaut und war überrascht, wie viele Verbindungsversuche es auf den Server gab, hier einmal ein Auszug. Teilweise wollen sich dort komisch (randonm klingende) Nutzer auf dem Server anmelden. In den Zeiten, wo über längere Zeit gar kein Versuch aufgezeichnet wurde, hatte ich die Firewall im Portal vom Hoster für den freigegebenen Port geschlossen.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 | 2024-10-15T22:49:02.351722+02:00 ubuntu sshd[40797]: Connection closed by invalid user degen 159.203.21.4 port 55176 [preauth] 2024-10-15T22:49:57.522409+02:00 ubuntu sshd[40799]: Invalid user crypto from 159.203.21.4 port 53322 2024-10-15T22:49:57.654917+02:00 ubuntu sshd[40799]: Connection closed by invalid user crypto 159.203.21.4 port 53322 [preauth] 2024-10-15T22:50:52.505557+02:00 ubuntu sshd[40805]: Invalid user coin from 159.203.21.4 port 59268 2024-10-15T22:50:52.623986+02:00 ubuntu sshd[40805]: Connection closed by invalid user coin 159.203.21.4 port 59268 [preauth] 2024-10-15T22:51:47.664771+02:00 ubuntu sshd[40807]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T22:51:47.783869+02:00 ubuntu sshd[40807]: Connection closed by invalid user root 159.203.21.4 port 51034 [preauth] 2024-10-15T22:52:42.781610+02:00 ubuntu sshd[40810]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T22:52:42.900796+02:00 ubuntu sshd[40810]: Connection closed by invalid user root 159.203.21.4 port 43968 [preauth] 2024-10-15T22:53:37.991515+02:00 ubuntu sshd[40812]: Invalid user litnode from 159.203.21.4 port 38094 2024-10-15T22:53:38.108885+02:00 ubuntu sshd[40812]: Connection closed by invalid user litnode 159.203.21.4 port 38094 [preauth] 2024-10-15T22:54:33.202925+02:00 ubuntu sshd[40815]: Invalid user lite from 159.203.21.4 port 45242 2024-10-15T22:54:33.337366+02:00 ubuntu sshd[40815]: Connection closed by invalid user lite 159.203.21.4 port 45242 [preauth] 2024-10-15T22:55:28.352178+02:00 ubuntu sshd[40820]: Invalid user litenode from 159.203.21.4 port 39548 2024-10-15T22:55:28.485382+02:00 ubuntu sshd[40820]: Connection closed by invalid user litenode 159.203.21.4 port 39548 [preauth] 2024-10-15T22:56:23.379058+02:00 ubuntu sshd[40822]: Invalid user Polkadot from 159.203.21.4 port 53888 2024-10-15T22:56:23.496318+02:00 ubuntu sshd[40822]: Connection closed by invalid user Polkadot 159.203.21.4 port 53888 [preauth] 2024-10-15T22:57:18.475347+02:00 ubuntu sshd[40824]: Invalid user Ethereum from 159.203.21.4 port 45628 2024-10-15T22:57:18.594616+02:00 ubuntu sshd[40824]: Connection closed by invalid user Ethereum 159.203.21.4 port 45628 [preauth] 2024-10-15T22:58:13.716783+02:00 ubuntu sshd[40827]: Invalid user Ethereum from 159.203.21.4 port 59252 2024-10-15T22:58:13.839231+02:00 ubuntu sshd[40827]: Connection closed by invalid user Ethereum 159.203.21.4 port 59252 [preauth] 2024-10-15T22:59:09.111966+02:00 ubuntu sshd[40829]: Invalid user Ethereum from 159.203.21.4 port 41198 2024-10-15T22:59:09.230922+02:00 ubuntu sshd[40829]: Connection closed by invalid user Ethereum 159.203.21.4 port 41198 [preauth] 2024-10-15T23:00:04.286602+02:00 ubuntu sshd[40842]: Invalid user ethereum from 159.203.21.4 port 51452 2024-10-15T23:00:04.405869+02:00 ubuntu sshd[40842]: Connection closed by invalid user ethereum 159.203.21.4 port 51452 [preauth] 2024-10-15T23:00:59.561624+02:00 ubuntu sshd[40848]: Invalid user ethereum from 159.203.21.4 port 39090 2024-10-15T23:00:59.693934+02:00 ubuntu sshd[40848]: Connection closed by invalid user ethereum 159.203.21.4 port 39090 [preauth] 2024-10-15T23:01:54.877998+02:00 ubuntu sshd[40850]: Invalid user validator from 159.203.21.4 port 42388 2024-10-15T23:01:55.010955+02:00 ubuntu sshd[40850]: Connection closed by invalid user validator 159.203.21.4 port 42388 [preauth] 2024-10-15T23:02:19.405203+02:00 ubuntu sshd[40852]: Accepted publickey for felix from xxx.xxx.xxx.xxx port 61060 ssh2: RSA SHA256:3517173bfd5147bbd28643f2d785e37f9a9f5bede57 2024-10-15T23:02:19.406912+02:00 ubuntu sshd[40852]: pam_unix(sshd:session): session opened for user felix(uid=1001) by felix(uid=0) 2024-10-15T23:02:50.028354+02:00 ubuntu sshd[40972]: Invalid user sushi from 159.203.21.4 port 36748 2024-10-15T23:02:50.147966+02:00 ubuntu sshd[40972]: Connection closed by invalid user sushi 159.203.21.4 port 36748 [preauth] 2024-10-15T23:03:45.241840+02:00 ubuntu sshd[40977]: Invalid user uniswap from 159.203.21.4 port 37442 2024-10-15T23:03:45.358451+02:00 ubuntu sshd[40977]: Connection closed by invalid user uniswap 159.203.21.4 port 37442 [preauth] 2024-10-15T23:04:40.672379+02:00 ubuntu sshd[40983]: Invalid user aave from 159.203.21.4 port 49026 2024-10-15T23:04:40.791232+02:00 ubuntu sshd[40983]: Connection closed by invalid user aave 159.203.21.4 port 49026 [preauth] 2024-10-15T23:05:36.292264+02:00 ubuntu sshd[40991]: Invalid user makerdao from 159.203.21.4 port 51796 2024-10-15T23:05:36.409152+02:00 ubuntu sshd[40991]: Connection closed by invalid user makerdao 159.203.21.4 port 51796 [preauth] 2024-10-15T23:06:31.640733+02:00 ubuntu sshd[41018]: Invalid user dao from 159.203.21.4 port 44678 2024-10-15T23:06:31.757547+02:00 ubuntu sshd[41018]: Connection closed by invalid user dao 159.203.21.4 port 44678 [preauth] 2024-10-15T23:07:27.045488+02:00 ubuntu sshd[41040]: Invalid user crypto from 159.203.21.4 port 52460 2024-10-15T23:07:27.161962+02:00 ubuntu sshd[41040]: Connection closed by invalid user crypto 159.203.21.4 port 52460 [preauth] 2024-10-15T23:08:22.467920+02:00 ubuntu sshd[41044]: Invalid user cryptoexpert from 159.203.21.4 port 60728 2024-10-15T23:08:22.587058+02:00 ubuntu sshd[41044]: Connection closed by invalid user cryptoexpert 159.203.21.4 port 60728 [preauth] 2024-10-15T23:09:17.734962+02:00 ubuntu sshd[41105]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T23:09:17.853642+02:00 ubuntu sshd[41105]: Connection closed by invalid user root 159.203.21.4 port 60710 [preauth] 2024-10-15T23:10:12.997521+02:00 ubuntu sshd[41112]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T23:10:13.113788+02:00 ubuntu sshd[41112]: Connection closed by invalid user root 159.203.21.4 port 40278 [preauth] 2024-10-15T23:11:08.209552+02:00 ubuntu sshd[41115]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T23:11:08.326242+02:00 ubuntu sshd[41115]: Connection closed by invalid user root 159.203.21.4 port 49142 [preauth] 2024-10-15T23:12:03.754154+02:00 ubuntu sshd[41120]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T23:12:03.886027+02:00 ubuntu sshd[41120]: Connection closed by invalid user root 159.203.21.4 port 46692 [preauth] 2024-10-15T23:12:58.765004+02:00 ubuntu sshd[41141]: User root from 159.203.21.4 not allowed because listed in DenyUsers 2024-10-15T23:12:58.883625+02:00 ubuntu sshd[41141]: Connection closed by invalid user root 159.203.21.4 port 54738 [preauth] 2024-10-15T23:13:25.729262+02:00 ubuntu sshd[40950]: Received disconnect from xxx.xxx.xxx.xxx port 61060:11: disconnected by user 2024-10-15T23:13:25.729449+02:00 ubuntu sshd[40950]: Disconnected from user felix xxx.xxx.xxx.xxx port 61060 2024-10-15T23:13:25.730085+02:00 ubuntu sshd[40852]: pam_unix(sshd:session): session closed for user felix 2024-10-15T23:13:54.137094+02:00 ubuntu sshd[41150]: Invalid user bitcoin from 159.203.21.4 port 60564 2024-10-15T23:13:54.256406+02:00 ubuntu sshd[41150]: Connection closed by invalid user bitcoin 159.203.21.4 port 60564 [preauth] 2024-10-16T14:04:34.066876+02:00 ubuntu sshd[45753]: User root from xxx.xxx.xxx.xxx not allowed because listed in DenyUsers 2024-10-16T14:04:34.170295+02:00 ubuntu sshd[45753]: Connection reset by invalid user root xxx.xxx.xxx.xxx port 55957 [preauth] 2024-10-16T14:04:46.306818+02:00 ubuntu sshd[45755]: Accepted publickey for felix from xxx.xxx.xxx.xxx port 55959 ssh2: RSA SHA256:3517173bfd5147bbd28643f2d785e37f9a9f5bede57 2024-10-16T14:04:46.308507+02:00 ubuntu sshd[45755]: pam_unix(sshd:session): session opened for user felix(uid=1001) by felix(uid=0) 2024-10-16T14:05:25.949248+02:00 ubuntu sshd[45875]: Connection reset by authenticating user felix xxx.xxx.xxx.xxx port 55960 [preauth] 2024-10-16T14:05:52.412240+02:00 ubuntu sshd[45877]: Accepted publickey for felix from xxx.xxx.xxx.xxx port 55961 ssh2: RSA SHA256:3517173bfd5147bbd28643f2d785e37f9a9f5bede57 2024-10-16T14:05:52.414017+02:00 ubuntu sshd[45877]: pam_unix(sshd:session): session opened for user felix(uid=1001) by felix(uid=0) 2024-10-16T15:04:29.108350+02:00 ubuntu sshd[47196]: banner exchange: Connection from 47.238.172.8 port 37796: invalid format 2024-10-16T15:04:36.782017+02:00 ubuntu sshd[47474]: Invalid user NL5xUDpV2xRa from 47.238.172.8 port 45870 2024-10-16T15:04:36.783072+02:00 ubuntu sshd[47474]: fatal: userauth_pubkey: parse publickey packet: incomplete message [preauth] 2024-10-16T15:19:43.902750+02:00 ubuntu sshd[47769]: banner exchange: Connection from 60.21.134.178 port 52613: invalid format 2024-10-16T15:19:54.420444+02:00 ubuntu sshd[47770]: Invalid user wqmarlduiqkmgs from 60.21.134.178 port 39255 2024-10-16T15:19:54.420625+02:00 ubuntu sshd[47770]: fatal: userauth_pubkey: parse publickey packet: incomplete message [preauth] 2024-10-16T15:26:35.540464+02:00 ubuntu sshd[47801]: banner exchange: Connection from 47.242.196.219 port 52740: invalid format 2024-10-16T15:26:43.554309+02:00 ubuntu sshd[47802]: Invalid user NL5xUDpV2xRa from 47.242.196.219 port 43632 2024-10-16T15:26:43.555145+02:00 ubuntu sshd[47802]: fatal: userauth_pubkey: parse publickey packet: incomplete message [preauth] 2024-10-16T15:27:24.173001+02:00 ubuntu sshd[47804]: banner exchange: Connection from 149.129.249.160 port 60444: invalid format 2024-10-16T15:27:36.000322+02:00 ubuntu sshd[47805]: Invalid user NL5xUDpV2xRa from 149.129.249.160 port 38992 2024-10-16T15:27:36.001035+02:00 ubuntu sshd[47805]: fatal: userauth_pubkey: parse publickey packet: incomplete message [preauth] |
Mich wundert, dass der Port in den Logs immer ein anderer, und nicht der für SSH freigegebene und verwendete ist. Zudem bin ich sehr erschrocken, dass derart viele Verbindungsanfragen an meinen Server gesendet wurde. Soll ich lieber die Firewall dauerhaft schließen, wenn ich nicht zwangsläufig per SSH verbunden bin?
Ich freue mich über eure Einschätzungen der Lage.
Viele Grüße
Bearbeitet von Thomas_Do:
Codeblock anonymisiert.