My logs are filled and filled with this same asshole trying to hack my computer via ssh. I've already disabled password authentication and root login for sshd. I can't change my port from 22 since my corporate firewall only opens certain ports.Dec 09 09:55:31 mycomputer.mydomain audit[10797]: CRYPTO_KEY_USER pid=10797 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:b0:64:1c:10:e0:ba:af:d2:7a:55:17:74:fe:2d:82:97:a1:a6:0e:29:45:d0:6b:c6:50:af:d7:1e:de:7b:09:73 direction=? spid=10797 suid=0 exe="/usr/sbin/sshd" hostname=? addr=43.229.53.26 terminal=? res=success'
Dec 09 09:55:31 mycomputer.mydomain audit[10796]: CRYPTO_SESSION pid=10796 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-sha1 pfs=diffie-hellman-group14-sha1 spid=10797 suid=74 rport=42505 laddr=143.32.43.167 lport=22 exe="/usr/sbin/sshd" hostname=? addr=43.229.53.26 terminal=? res=success'
Dec 09 09:55:31 mycomputer.mydomain audit[10796]: CRYPTO_SESSION pid=10796 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-sha1 pfs=diffie-hellman-group14-sha1 spid=10797 suid=74 rport=42505 laddr=143.32.43.167 lport=22 exe="/usr/sbin/sshd" hostname=? addr=43.229.53.26 terminal=? res=success'
I've tried blocking him specifically at the firewall (image related, firewall-config) but he's somehow still able to try to login via ssh.
This wouldn't be a major problem since I use public key authentication, but my internet really slows down when he's making all of these login attempts and it bloats my journal to several gigs over the course of a week. Running fedora.
>>51772662
If it's your personal machine, and you don't use SSH for anything, just turn off your ssh daemon. In all other cases install Fail2ban and set it up to permaban any IP that fails 3 logins in a row.
>>51772692
I do use ssh quite a bit though. And fail2ban isn't going to do anything that those firewall rules should be doing already right? It's just going to add that IP to the blocklist, which I've already done.
I just don't understand why those requests are making it through to sshd when they should be dropped at the firewall.
>>51772662
You could try redirecting his requests from your ip to 127.0.0.1 so his requests just take him back to his localhost.
I've used this in the past when my friends were trying to take down my fileserver/seedbox that I run out of old laptop in my room. It works reasonably well.
>>51772743
If you've already set up iptable rules to drop packets from this guy, and it's not doing anything then you should work out why your iptables rules aren't doing anything.
>>51772839
I'm using firewalld, not ip-tables.
>>51772809
Wouldn't this just redirect the requests to my system since I would also have to enable masquerading?
>>51772957
Depends on how you do it. In my case, since my friends were accessing the server through my domain rather than directly via my public ip, all I had to do was make my domain point to 127.0.0.1
But in your case, since its only one person and you know their ip, all you have to do is add in an ip table rule to redirect them back to their own ip (43.229.53.26).
Alternatively, DDOS the fuck out of their ip.
>tfw wanting to get into cybersecurity
>tfw can barely follow any of this shit
>>51772839
>>51772692
I might run fail2ban for a couple of minutes and see what rule it creates in firewallcmd-ipset and compare it to my own rule to see if it differs.
It should be more straightforward than this though, weird.
>>51773249
If you want to get into cybersecurity than I highly recommend that you check out Cisco's Cybersecurity CCNA, it provides a pretty solid base.
>>51773249
lol same
How are requests to port 42505 making it through in the first place?
>>51773329
Cool. I'll check it out. Thank you.
>>51773249
>want to get into x
>can barely do any of this shit
Then you don't want to get into it, anon. If you did you would have found a way.
>>51773249
Pirate the sans study materials ;)
>>51773444
Also, learn by doing. I started when I was a kid, and now that's what I do for a living.
>>51773489
Naturally
>>51772957
firewalld uses iptables under the hood, just fyi.
>>51773635
source? I thought they differed fundamentally such that firewalld can implement new rules w/o breaking current connections
Also, I can install firewalld without the iptables packages
kek
>>51773793
Nice 4 char. I wonder how much they'll be worth in 5 years
>>51772692
>3 logins in a row
should probably set that a bit higher for when you're having a drunk evening and decide to ssh to your server
speaking from experience
>>51774208
>what is public key authentication
>>51774287
>i always login from the same machine
>>51774563
>logging in drunk from a public computer to your server via cleartext password authentication
sounds like a good idea
>>51773686
As far as I know, they bundle own copy.
>>51775807
>a public computer
what
how about my phone you nigger
But yeah, it's called being drunk, you should try it sometimes
Might even meet some people
>>51776210
You do realize that you can load multiple public keys onto your server? One for each authorized device?
>>51776210
>needing to become intoxicated to meet and socialist with people
You know in the long run a psychiatrist would be cheaper, right?
>>51776545
its okay, one day you'll be able to go to the store and buy your own alcohol kid
>>51776566
>tfw parents own and operate winery
>tfw will never have a reason to buy alcohol at store
feelsbadman
>>51776659
>tfw browse anonymous image board
>tfw make claims on it
Feels bad man
Let him in, then turn off the SSH daemon so he's trapped inside, then open Teamviewer and we can all jump that fucker at once.
