[SOLVED] Ssh login problem.

[satyadev75]

Hi Linux Experts,

One of my customer is using CentOS 5.9 as a webserver. I am getting problem to ssh login often. I am unable to find the reason to solve. I have checked the logs also. Please help me out of this

There are "two many authentication failures for root" messages in /var/log/secure. This is happened with some other IPs, not with my ip. But still ssh is giving problem to me. After few min i can able to login.

#cat ~/.ssh/config
Host domain2.com
StrictHostKeyChecking no
User backmaster
IdentityFile /home/backmaster/.ssh/id_rsa

#cat /etc/ssh/sshd_config | grep -v '#'
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server

Please please help me to clear this. Thank you in advance. If required I can provide more information.
NOTE: my monitoring tool is giving alert message like "SshException"

--

[roklebor]

If it is a publicly accessible server, I would definitely recommend you turning off the password authentication for ssh logins and using just only public key authentication, if such a configuration would be acceptable for your customer.

Of course, your private key should be stored encrypted by a passphrase.

[satyadev75]

Hi Roklebor,

Thank you for your recommendation. That really helpful . But....

Actually we recommended our customer to have iptables, to allow only few IP addresses to accept. But their employees works even in journey and also from remote places. So, not accepting to put iptables.

Anyway we will ask for the public key authentication. I don't think they accept it. So, please tell me any other alternative way to clear this.

Is there any way to ignore the failure authentications and ssh to work fine??

--

[roklebor]

SSH daemon controls password-based authentication frequency by many parameters, some of them are:
MaxAuthTries
MaxSessions
MaxStartups
Maybe there are others, consult "man sshd_config" for more configuration options, I don't remember them all.

I have had such a troubles on one of the servers I had to manage at the time, and found out, that when script-kiddies are trying to break-in to a publicly available ssh server, the ssh daemon limits the maximum number of retries for some period .. I don't remember exactly this mechanism, I just remember that I recommended the server owner to switch to pubkey authentication, he accepted this recommendation, and thereafter the troubles with logging-in disappeared immediately. Maybe that for pubkey authentication those restriction do not apply at all.

You also can move the ssh listening port to some other random number (up to 65535) from a default 22, which dramatically reduces the attack surface for script-kiddies, which, logically, dramatically reduces the problems with too many failed login attempts in a defined time period, and also, it prevents your logs to be flooded by megabytes of failed-login-attempt messages.

Anyhow, for a publicly available ssh server, keep it up-to-date to ensure it's minimal vulnerability.