Difference between revisions of "EBC Exercise 16a ssh port number"

From eLinux.org
Jump to: navigation, search
(Initial info)
 
m (Changing the port ssh uses: Added .ssh/config instructions.)
 
(One intermediate revision by the same user not shown)
Line 16: Line 16:
 
  Jul 22 14:24:02 pocket sshd[2330]: pam_unix(sshd:session): session opened for user debian by (uid=0)
 
  Jul 22 14:24:02 pocket sshd[2330]: pam_unix(sshd:session): session opened for user debian by (uid=0)
  
Here you see normal activity.  I logged in as debian using the publickey that was setup with <code>ssh-copy-id</code>.
+
Here you see normal activity.  I logged in as '''debian''' using the publickey that was setup with <code>ssh-copy-id</code>.
  
Now try logging in as an invalid user.  Here I try '''yoder'''.
+
Now try logging in as an invalid user.  Here I tried <code>ssh yoder@bone</code> from the host.  
 
  bone$ '''journalctl | grep ssh'''
 
  bone$ '''journalctl | grep ssh'''
 
  Jul 22 15:38:10 pocket sshd[2507]: Failed password for invalid user yoder from 192.168.7.1 port 47942 ssh2
 
  Jul 22 15:38:10 pocket sshd[2507]: Failed password for invalid user yoder from 192.168.7.1 port 47942 ssh2
 
  Jul 22 15:38:16 pocket sshd[2507]: Connection closed by invalid user yoder 192.168.7.1 port 47942 [preauth]
 
  Jul 22 15:38:16 pocket sshd[2507]: Connection closed by invalid user yoder 192.168.7.1 port 47942 [preauth]
  
The login is rejected.   
+
The login is rejected.  One time I left a Beagle running with an externally accessible IP address.  Within a day there were dozens of login attempts. A quick way to see them is:
 +
bone$ '''journalctl | grep -i invalid'''
 +
Jul 22 15:38:04 pocket sshd[2507]: Invalid user yoder from 192.168.7.1 port 47942
 +
Jul 22 15:38:10 pocket sshd[2507]: Failed password for invalid user yoder from 192.168.7.1 port 47942 ssh2
 +
Jul 22 15:38:16 pocket sshd[2507]: Connection closed by invalid user yoder 192.168.7.1 port 47942 [preauth]
 +
 
 +
Make sure you don't use an easy to guess password.  You know they'll try '''debian''' as a user.
 +
 
 +
== Changing the port the ssh server listens on ==
 +
You can easily change the port the ssh server listens on.  By default it on port 22, so everyone will try it.  Change the port using:
 +
 
 +
bone$ '''sudo vi /etc/ssh/sshd_config'''
 +
Scroll to around line 13 and you'll see:
 +
'''#Port 22'''
 +
Remove the '''#''' and change the 22 to something greater than 1000, say 1022.  Then
 +
bone$ '''sudo systemctl restart sshd'''
 +
Now, what you login from your host you'll have to say which port to use:
 +
host$ '''ssh -p1022 bone'''
 +
 
 +
== Changing the port ssh uses ==
 +
If you forget to add the '''-p1022''' you'll get an error.  But you can change which
 +
port ssh will used.  Edit the file '''~/.ssh/config''' and add the following:
 +
 
 +
Host    192.168.7.2
 +
        Port    1022
 +
        User    debian
 +
        UserKnownHostsFile /dev/null
 +
        StrictHostKeyCHecking no
 +
                                                                                                                                                 
 +
Host    bone
 +
        Port    1022
 +
        User    debian
 +
        UserKnownHostsFile /dev/null
 +
        StrictHostKeyCHecking no
 +
The first entry says if the does:
 +
host$ '''ssh 192.168.7.2'''
 +
then use port 1022 and user name debian
 +
The second entry is the same for
 +
host$ '''ssh bone'''
  
 
{{YoderFoot}}
 
{{YoderFoot}}

Latest revision as of 10:29, 21 September 2020

thumb‎ Embedded Linux Class by Mark A. Yoder


If you leave your Beagle on a publicly exposed network (like Rose's) long you'll soon see login attempts from all over the world.

Here you'll learn how to see those attempts and how to change your ssh port number to avoid them.

journalctl

A quick way to see if anyone's been trying to access your Beagle is:

bone$ journalctl | grep ssh
Jul 22 14:17:11 pocket sh[936]: generic-board-startup: ssh
Jul 22 14:17:13 pocket sshd[964]: Server listening on 0.0.0.0 port 22.
Jul 22 14:17:13 pocket sshd[964]: Server listening on :: port 22.
Jul 22 14:24:02 pocket sshd[2328]: Connection closed by authenticating user debian 192.168.7.1 port 47886 [preauth]
Jul 22 14:24:02 pocket sshd[2330]: Accepted publickey for debian from 192.168.7.1 port 47888 ssh2: RSA SHA256:kkATqhiwy+v8EzXzJSV3jSrVEam/L+NF2yl8GFdvOBI
Jul 22 14:24:02 pocket sshd[2330]: pam_unix(sshd:session): session opened for user debian by (uid=0)

Here you see normal activity. I logged in as debian using the publickey that was setup with ssh-copy-id.

Now try logging in as an invalid user. Here I tried ssh yoder@bone from the host.

bone$ journalctl | grep ssh
Jul 22 15:38:10 pocket sshd[2507]: Failed password for invalid user yoder from 192.168.7.1 port 47942 ssh2
Jul 22 15:38:16 pocket sshd[2507]: Connection closed by invalid user yoder 192.168.7.1 port 47942 [preauth]

The login is rejected. One time I left a Beagle running with an externally accessible IP address. Within a day there were dozens of login attempts. A quick way to see them is:

bone$ journalctl | grep -i invalid
Jul 22 15:38:04 pocket sshd[2507]: Invalid user yoder from 192.168.7.1 port 47942
Jul 22 15:38:10 pocket sshd[2507]: Failed password for invalid user yoder from 192.168.7.1 port 47942 ssh2
Jul 22 15:38:16 pocket sshd[2507]: Connection closed by invalid user yoder 192.168.7.1 port 47942 [preauth]

Make sure you don't use an easy to guess password. You know they'll try debian as a user.

Changing the port the ssh server listens on

You can easily change the port the ssh server listens on. By default it on port 22, so everyone will try it. Change the port using:

bone$ sudo vi /etc/ssh/sshd_config

Scroll to around line 13 and you'll see:

#Port 22

Remove the # and change the 22 to something greater than 1000, say 1022. Then

bone$ sudo systemctl restart sshd

Now, what you login from your host you'll have to say which port to use:

host$ ssh -p1022 bone

Changing the port ssh uses

If you forget to add the -p1022 you'll get an error. But you can change which port ssh will used. Edit the file ~/.ssh/config and add the following:

Host    192.168.7.2
        Port    1022
        User    debian
        UserKnownHostsFile /dev/null
        StrictHostKeyCHecking no 
                                                                                                                                                  
Host    bone
        Port    1022
        User    debian
        UserKnownHostsFile /dev/null
        StrictHostKeyCHecking no

The first entry says if the does:

host$ ssh 192.168.7.2

then use port 1022 and user name debian The second entry is the same for

host$ ssh bone




thumb‎ Embedded Linux Class by Mark A. Yoder