efa-project.org


https://forum.efa-project.org/

Definition on sshd_config are not reflected

https://forum.efa-project.org/viewtopic.php?t=2794

Page 1 of 1

Definition on sshd_config are not reflected

Posted: 01 Nov 2017 03:57
by yugawa806
I have specified the following in /etc/ssh/sshd_config.
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 5m
However, the following access logs still appear continuously from China's IP.

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.146 user=root
Failed password for invalid user root from 58.218.198.146 port 25157 ssh2
Failed password for invalid user root from 58.218.198.146 port 25157 ssh2

My definitions on the sshd_config looks not reflected.
Why?

My env: CentOS-6.9-x86_64-minimal.iso with ks=http://dl.efa-project.org/build/3/ks.cfg.

Re: Definition on sshd_config are not reflected

Posted: 01 Nov 2017 04:34
by pdwalker
What are you expecting to see?

[edit]

The reason I ask is that those messages are correct. Someone tried to log in with a password but could not.

Try it yourself. Attempt to log in as root with the correct password and see if you can get in. If you cannot, then sshd is blocking the password logins, just as you would expect them to.

I've tested it on my instance and that is exactly the behaviour I am seeing. When I enable root login via password, it works just fine and disabled, I cannot log in - just as expected.

Hope that helps clear things up.

Re: Definition on sshd_config are not reflected

Posted: 01 Nov 2017 06:06
by yugawa806
In the sshd of my centos 6.9 original,
if I designate them, it will not be in the log never.

Also the following iptables commands do not work too.
iptables -A INPUT -p tcp --dport 22 -j DROP ;
iptables -A INPUT -p tcp --sport 22 -j DROP ;
Is not something strange?

Re: Definition on sshd_config are not reflected

Posted: 01 Nov 2017 06:31
by pdwalker
Ok, i don't understand what you mean exactly.

It sounds like you have two questions for two problems so you need to solve them separately.

Can you tell me exactly what you want to do any why? If I understand this, I can give you better answers.

Re: Definition on sshd_config are not reflected

Posted: 01 Nov 2017 06:58
by yugawa806
My questions are:
why sshd_config does not work?
Why iptables does not work? I think that are same.

Why, whatever I specify,
the /var/log/secure have been recording the continuously access from China?

If sshd_config does efective, the same IP never appear consecutively.
If iptables does efective, it never be logged at all.

My destination are,
I like a server with ssh that only accepts from specific IP .
Also, I like a server with ssh that only accepts to specific user ID.

that's all.

Re: Definition on sshd_config are not reflected

Posted: 02 Nov 2017 17:39
by budy
What does your iptable look like. The way you added those rules will append them after any other rule already existing and thus it is no wonder that they don't do anything…

This is my iptable setup, I haven't done much tinkering with it,except adding support for the check-mk-agent:

Code: Select all

[root@efa ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:check-mk-agent
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
If I wanted to block ssh entirely, I'd rather delete rule #6, which currently allows ssh access… Issueing your iptables commands will put those way down after the REJECT rule in the INPUT chain.

Re: Definition on sshd_config are not reflected

Posted: 03 Nov 2017 08:40
by yugawa806
I can not understand why the following specification of # 6 exists by default.
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

However, you pointed out the cause of this strange behavior of iptables. Thankyou!
I have to have consideration about other "smtp", "ndmp", "http" and "https" are also necessary.

Re: Definition on sshd_config are not reflected

Posted: 03 Nov 2017 18:42
by budy
If you turn off smtp, http, https access, than you could very well just shutdown your efa box, as it will be of no further use…

Re: Definition on sshd_config are not reflected

Posted: 07 Nov 2017 04:13
by yugawa806
Yes I have understood it, however...
> My destination are,
> I like a server with ssh that only accepts from specific IP .
> Also, I like a server with ssh that only accepts to specific user ID.

Now I deleted them and recreated the secure.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited