this post was submitted on 10 Nov 2023
31 points (89.7% liked)

Linux

48208 readers
921 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would've thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?

What I've done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.

Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?

you are viewing a single comment's thread
view the rest of the comments
[–] willybe@lemmy.ca 4 points 1 year ago* (last edited 1 year ago) (7 children)

Yes that's the right way to block root login. An added filter you can use the 'match' config expression to filter logins even further.

If you're on the open network, your connection will be heavily hit with login attempts. That is normal. But using another service like Fail2Ban will stop repeated hits to your host.

~~Ssh listens on port 22, as soon as a connection is made the host moves the connection to another port to free up 22 for other new connections.~~ Btw: I wasn't thinking clearly here. Out going connections won't be using port 22, but the listening incoming port is always 22.

[–] Markaos@lemmy.one 5 points 1 year ago* (last edited 1 year ago) (1 children)

Ssh listens on port 22, as soon as a connection is made the host moves the connection to another port to free up 22 for other new connections.

There's no limit on the number of concurrent connections on a single port, and SSH runs completely on the one port it is configured to use. Otherwise allowing just the port 22 in firewall wouldn't be enough to have a functional SSH connection with default settings.

You can verify that quite easily for example by spinning up three barebone Debian VMs connected to a single virtual network, configuring the firewall on the "server" VM to drop everything other than port 22 and then connecting from both client VMs - it will work just fine.

Maybe you're confusing it with the fact that only one process can listen on a given port at a time? But that's only for establishing new connections. Existing connections can be passed off to another running process or a child process just fine, and that's how SSH handles separation between connections.

Edit: oh, you're talking about the high port OP is wondering about. That's just the source port, which is chosen randomly by the client OS when making a connection. Using port 22 (or any other port below 1025) as a source port would require root privileges on the client and would also conflict with the SSH server that could be running there. Still, it has nothing to do with SSH "moving connections over"

[–] cyberwolfie@lemmy.ml 2 points 1 year ago* (last edited 1 year ago)

Edit: oh, you’re talking about the high port OP is wondering about. That’s just the source port, which is chosen randomly by the client OS when making a connection. Using port 22 (or any other port below 1025) as a source port would require root privileges on the client and would also conflict with the SSH server that could be running there. Still, it has nothing to do with SSH “moving connections over”

Ah, I see, so the port numbers shown in auth.log are all client side ports. I guess I thought that the listening port would be in the log and assumed that the port listed there would be it, but when I read the lines again, it clearly says "from ip.ad.dr.ess port 12345"

load more comments (5 replies)