I am using OpenSSH on Ubuntu 14.04 Server, and I have been using it for a few hours and it has been disconnected for a while and I have seen something unstable. So I looked up SSH related logs, and I checked various logs and confirmed that many unexpected access attempts occurred.
Review log file: /var/log/auth.log
[Attempt to access root authority from unknown IP]
[Attempting to connect to unknown account (orego) from unknown IP]
I have been trying to connect in several places, not in one place, but in seconds. In fact, Ubuntu sshd’s existing logging is only for AUTH (authentication), so it is not clear whether I have been interrupted or not connected for a while.
It is difficult to analyze more with the authentication log that is currently left, and it is necessary to change the setting so that the logging can be more detailed and review the log when the problem occurs.
We had to block these unauthorized unauthorized access attempts with the only remaining AUTH logs. If you try to keep trying every second, you do not seem to be trying to connect to each other, but it seems that you are constantly trying to connect until you get right through the code. If you attempt to do so, you will not be able to guarantee the stability of the server in the future.
Here’s how to prevent these attempts.
Ubuntu basically provides a function called TCP wrapper, which allows you to manage the addresses that allow access through the hosts.allow, hosts.deny configuration files under / etc, and the addresses that block access. have.
I checked the log and tried to select one of the IP addresses that I want to access unauthorizedly from ssh, so I tried to register it, so the IP address was different than I thought. So basically I blocked access to all IP addresses and added the IP address that I personally use for connection to the Allow list so that only I can connect to ssh.
sshd: [IP Address]
I set it up like this, and I re-executed sshd.
# service ssh restart
After checking the /var/log/auth.log, I can see that the connections are refused as shown below.
It may be that you do not have to worry too much because you are accessing through viruses or Scanners because a lot of connection attempts occur. But I do not know what purpose it is approaching, so I need to block this connection and increase the stability of the server.
How to set range of IP address in TCP Wrapper
192.168.0.1 to 192.168.0.255