Bonjour à tous,
Je me connecte régulièrement en SSH sur un serveur depuis mon domicile. Mais lorsque je voyage, change d'IP, la connexion freeze en quelque secondes après établissement.
Je n'ai pas de parefeu en fonction, hormis fail2ban :
```
iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-pam-generic tcp – anywhere anywhere
f2b-recidive tcp – anywhere anywhere
f2b-sshd tcp – anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-pam-generic (1 references)
target prot opt source destination
REJECT all – 96-78-175-37-static.hfc.comcastbusiness.net anywhere reject-with icmp-port-unreachable
REJECT all – 143.110.212.213 anywhere reject-with icmp-port-unreachable
…
RETURN all – anywhere anywhere
Chain f2b-recidive (1 references)
REJECT all – 96-78-175-36-static.hfc.comcastbusiness.net anywhere reject-with icmp-port-unreachable
…
```
Je n'ai pas listé toutes les IP récidivistes rejetées, plusieurs centaines…
La config:
```
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PasswordAuthentication yes
```
Mon IP au moment de la conexion: 188.79.222.48
Toute suggestion bienvenue
Bonjour,
Il faudrait utiliser une clé ssh et mettre PasswordAuthentication à no
Tu peux aussi ajouter AllowUsers user1 userX dans ta conf pour n'autoriser à ce connecter que les utilisateurs souhaités.
Ensuite installe sshguard pour qu'il surveille tes connexions et filtre bien ce qui est frauduleux .
Lorsque tu voyages et que tu passes en 4G, attention tous les opérateurs n'acceptent pas le trafic ssh ou le limite.
Tu peux créer un petit vpn sur ton serveur qui permettra d'ouvrir la connexion, à tester.
Bonne journée
Captainadmin
Merci.
J'utilise une clé SSH. PasswordAuthentication est à yes en cas de pb mais je ne vois pas pourquoi ce paramètre me bloquerait sur changement d'IP.
De même pour AllowUsers. Je n'ai pas changé d'utilisateur mais d'IP.
Tu peux créer un petit vpn
Un bon tuto pour ça sous Debian ?
J'ai quand même essayé les options proposées :
PasswordAuthentication no
AllowUsers me
sans succès:
```
$ ssh -v me@x.x.x.x
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
debug1: Reading configuration data /home/me/.ssh/config
debug1: /home/me/.ssh/config line 2: Applying options for
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: connect to address x.x.x.x port 22: Connection refused
```
Même avec fail2ban désactivé ça ne connecte pas. Même utilisateur, même machine, seule l'IP change.
Faut absolument que je résolve avant de partir. Merci pour votre aide
connect to address x.x.x.x port 22: Connection refused
Dommage que vous ne donnez pas l'adresse, j'aurais aussi essayé :(
A priori c'est votre VPS qui refuse la connexion.
Essayez en mettant un 2è port d'écoute du daemon ssh sur un autre port, par exemple 8022.
Bonjour,
vous avez vérifier vos logs au moment de la tentative ?
Cordialement, janus57
Semblerait que les dernières modif aient été prises en compte tardivement car en voulant tester ce matin ça marche !
Je ne m'en suis pas rendu compte de suite sans doute suite à un banissement FAIL2BAN pour tentatives infructueuses ?
Grand merci à tous pour votre soutien
Voulant retester la chose qq minutes plus tard j'ai eu la surprise de recevoir de nouveau "port 22: Connection refused"
J'ai donc relevé les logs en rentrant en ayany pris soin de noter l'heure exacte de mes tentatives:
```
—auth.log:
un 2 10:53:45 ksxxxxxx sshd[124324]: Accepted publickey for me from 188.79.222.48 port 55276 ssh2: RSA SHA256:eHB/0b9qDKtiIsd4vY5xAth8pyCMD2PK5TUIsTVLGWQ
…
Jun 2 11:00:39 ksxxxxxx sshd[124334]: Received disconnect from 188.79.222.48 port 55276:11: disconnected by user
Jun 2 11:00:39 ksxxxxxx sshd[124334]: Disconnected from user me 188.79.222.48 port 55276
Jun 2 11:00:39 ksxxxxxx sshd[124324]: pam_unix(sshd:session): session closed for user me
Jun 2 11:00:44 ksxxxxxx auth: pam_unix(dovecot:auth): check pass; user unknown
Jun 2 11:00:44 ksxxxxxx auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=rctr1 rhost=111.67.53.7
Jun 2 11:01:01 ksxxxxxx CRON[124785]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:01:01 ksxxxxxx CRON[124785]: pam_unix(cron:session): session closed for user root
Jun 2 11:01:55 ksxxxxxx sshd[124841]: User root from 45.55.165.48 not allowed because not listed in AllowUsers
Jun 2 11:01:55 ksxxxxxx sshd[124841]: Received disconnect from 45.55.165.48 port 50857:11: Bye Bye [preauth]
Jun 2 11:01:55 ksxxxxxx sshd[124841]: Disconnected from invalid user root 45.55.165.48 port 50857 [preauth]
Jun 2 11:01:56 ksxxxxxx sshd[124845]: User root from 78.142.18.204 not allowed because not listed in AllowUsers
Jun 2 11:01:56 ksxxxxxx sshd[124845]: Connection closed by invalid user root 78.142.18.204 port 57850 [preauth]
Jun 2 11:02:00 ksxxxxxx sshd[124849]: Unable to negotiate with 61.177.173.43 port 40544: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Jun 2 11:02:01 ksxxxxxx CRON[124851]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:02:01 ksxxxxxx CRON[124851]: pam_unix(cron:session): session closed for user root
Jun 2 11:02:45 ksxxxxxx auth: pam_unix(dovecot:auth): check pass; user unknown
Jun 2 11:02:45 ksxxxxxx auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=inf@webologix.com rhost=188.79.222.48
Jun 2 11:03:01 ksxxxxxx CRON[124907]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:03:01 ksxxxxxx CRON[124907]: pam_unix(cron:session): session closed for user root
Jun 2 11:03:08 ksxxxxxx auth: pam_unix(dovecot:auth): check pass; user unknown
Jun 2 11:03:08 ksxxxxxx auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me@webologix.com rhost=188.79.222.48
Jun 2 11:03:23 ksxxxxxx sshd[124966]: User root from 192.153.57.7 not allowed because not listed in AllowUsers
Jun 2 11:03:23 ksxxxxxx sshd[124966]: Received disconnect from 192.153.57.7 port 47060:11: Bye Bye [preauth]
Jun 2 11:03:23 ksxxxxxx sshd[124966]: Disconnected from invalid user root 192.153.57.7 port 47060 [preauth]
—syslog
Jun 2 10:53:01 ksxxxxxx CRON[124277]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:54:01 ksxxxxxx CRON[124344]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:55:01 ksxxxxxx CRON[124414]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:55:01 ksxxxxxx CRON[124413]: (getmail) CMD (/usr/local/bin/run-getmail.sh > /dev/null 2>> /dev/null)
Jun 2 10:55:32 ksxxxxxx postfix/anvil[124148]: statistics: max connection rate 8/60s for (submission:46.101.209.124) at Jun 2 10:52:12
Jun 2 10:55:32 ksxxxxxx postfix/anvil[124148]: statistics: max connection count 1 for (submission:185.28.39.65) at Jun 2 10:50:58
Jun 2 10:55:32 ksxxxxxx postfix/anvil[124148]: statistics: max cache size 2 at Jun 2 10:51:57
Jun 2 10:56:02 ksxxxxxx CRON[124479]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:57:01 ksxxxxxx CRON[124532]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:57:56 ksxxxxxx dovecot: imap(me@webologix.com)<117736>: Connection closed (IDLE running for 0.001 + waiting input for 1044.228 secs, 2 B in + 10 B out, state=wait-input) in=2903 out=10022 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jun 2 10:57:58 ksxxxxxx dovecot: imap(inf@webologix.com)<118880>: Connection closed (IDLE running for 0.001 + waiting input for 1046.646 secs, 2 B in + 10 B out, state=wait-input) in=2548 out=9910 deleted=0 expunged=0 trashed=4 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jun 2 10:58:01 ksxxxxxx CRON[124586]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:58:02 ksxxxxxx dovecot: imap(tmp@webologix.com)<117105><8Eaj23HgLKBZFUXD>: Connection closed (IDLE running for 0.001 + waiting input for 1050.705 secs, 2 B in + 10 B out, state=wait-input) in=9111 out=392653 deleted=1 expunged=0 trashed=5 hdr_count=11 hdr_bytes=4619 body_count=11 body_bytes=359998
Jun 2 10:58:03 ksxxxxxx dovecot: imap(tmp@webologix.com)<117089>: Connection closed (IDLE running for 0.001 + waiting input for 1052.157 secs, 2 B in + 10 B out, state=wait-input) in=5102 out=20008 deleted=0 expunged=0 trashed=10 hdr_count=5 hdr_bytes=1876 body_count=0 body_bytes=0
Jun 2 10:58:07 ksxxxxxx dovecot: imap-login: Login: user=webologix.com>, method=PLAIN, rip=188.79.222.48, lip=x.x.x.x, mpid=124638, TLS, session=
Jun 2 10:58:19 ksxxxxxx postfix/submission/smtpd[124639]: warning: hostname eachfouled.net does not resolve to address 185.28.39.65
Jun 2 10:58:19 ksxxxxxx postfix/submission/smtpd[124639]: connect from unknown[185.28.39.65]
Jun 2 10:58:19 ksxxxxxx postfix/submission/smtpd[124639]: disconnect from unknown[185.28.39.65] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jun 2 10:58:20 ksxxxxxx dovecot: imap(inf@webologix.com)<117103>: Connection closed (IDLE running for 0.001 + waiting input for 983.643 secs, 2 B in + 10 B out, state=wait-input) in=2579 out=8990 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jun 2 10:58:57 ksxxxxxx dovecot: imap(me@webologix.com)<117101><7fei23HgMKBZFUXD>: Connection closed (IDLE running for 0.001 + waiting input for 1069.538 secs, 2 B in + 10 B out, state=wait-input) in=4977 out=76479 deleted=0 expunged=0 trashed=0 hdr_count=3 hdr_bytes=942 body_count=3 body_bytes=59305
Jun 2 10:59:01 ksxxxxxx CRON[124646]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 10:59:50 ksxxxxxx dovecot: imap(tmp@webologix.com)<117418>: Connection closed (IDLE running for 0.001 + waiting input for 1159.717 secs, 2 B in + 10 B out, state=wait-input) in=5418 out=78170 deleted=16 expunged=0 trashed=0 hdr_count=33 hdr_bytes=13462 body_count=0 body_bytes=0
Jun 2 11:00:01 ksxxxxxx CRON[124705]: (getmail) CMD (/usr/local/bin/run-getmail.sh > /dev/null 2>> /dev/null)
Jun 2 11:00:01 ksxxxxxx CRON[124706]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 11:00:26 ksxxxxxx postfix/smtps/smtpd[124769]: connect from bl23-180-230.dsl.telepac.pt[144.64.180.230]
Jun 2 11:00:34 ksxxxxxx postfix/smtps/smtpd[124769]: warning: bl23-180-230.dsl.telepac.pt[144.64.180.230]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 2 11:00:34 ksxxxxxx postfix/smtps/smtpd[124769]: lost connection after AUTH from bl23-180-230.dsl.telepac.pt[144.64.180.230]
Jun 2 11:00:34 ksxxxxxx postfix/smtps/smtpd[124769]: disconnect from bl23-180-230.dsl.telepac.pt[144.64.180.230] ehlo=1 auth=0/1 commands=1/2
Jun 2 11:00:36 ksxxxxxx postfix/smtps/smtpd[124769]: connect from 17.veetime.com[111.67.53.7]7.veetime.com[111.67.53.7]
Jun 2 11:00:48 ksxxxxxx postfix/smtps/smtpd[124769]: warning: 111-67-53-7.veetime.com[111.67.53.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 2 11:00:49 ksxxxxxx postfix/smtps/smtpd[124769]: lost connection after AUTH from 17.veetime.com[111.67.53.7]7.veetime.com[111.67.53.7]
Jun 2 11:00:49 ksxxxxxx postfix/smtps/smtpd[124769]: disconnect from 17.veetime.com[111.67.53.7]7.veetime.com[111.67.53.7] ehlo=1 auth=0/1 commands=1/2
Jun 2 11:01:01 ksxxxxxx CRON[124789]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 11:01:27 ksxxxxxx postfix/postscreen[124836]: CONNECT from [117.145.108.138]:61976 to [188.165.47.210]:25
Jun 2 11:01:27 ksxxxxxx postfix/postscreen[124836]: PASS OLD [117.145.108.138]:61976
Jun 2 11:01:28 ksxxxxxx postfix/smtpd[124839]: connect from unknown[117.145.108.138]
Jun 2 11:01:31 ksxxxxxx postfix/smtpd[124839]: disconnect from unknown[117.145.108.138] ehlo=1 auth=0/1 quit=1 commands=2/3
Jun 2 11:01:42 ksxxxxxx postfix/submission/smtpd[124840]: warning: hostname eachfouled.net does not resolve to address 185.28.39.65
Jun 2 11:01:42 ksxxxxxx postfix/submission/smtpd[124840]: connect from unknown[185.28.39.65]
Jun 2 11:01:42 ksxxxxxx postfix/submission/smtpd[124840]: disconnect from unknown[185.28.39.65] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jun 2 11:02:01 ksxxxxxx CRON[124855]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 11:02:47 ksxxxxxx dovecot: imap-login: Login: user=webologix.com>, method=PLAIN, rip=188.79.222.48, lip=x.x.x.x, mpid=124906, TLS, session=
Jun 2 11:03:01 ksxxxxxx CRON[124911]: (root) CMD (/usr/local/rtm/bin/rtm 25 > /dev/null 2> /dev/null)
Jun 2 11:03:08 ks307144 auth: pam_unix(dovecot:auth): check pass; user unknown
Jun 2 11:03:08 ks307144 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=kmc@webologix.com rhost=188.79.222.48
Jun 2 11:03:23 ks307144 sshd[124966]: User root from 192.153.57.7 not allowed because not listed in AllowUsers
Jun 2 11:03:23 ks307144 sshd[124966]: Received disconnect from 192.153.57.7 port 47060:11: Bye Bye [preauth]
Jun 2 11:03:23 ks307144 sshd[124966]: Disconnected from invalid user root 192.153.57.7 port 47060 [preauth]
Jun 2 11:04:01 ks307144 CRON[124970]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:04:01 ks307144 CRON[124970]: pam_unix(cron:session): session closed for user root
Jun 2 11:05:02 ks307144 CRON[125023]: pam_unix(cron:session): session opened for user getmail(uid=5001) by (uid=0)
Jun 2 11:05:02 ks307144 CRON[125022]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:05:02 ks307144 CRON[125023]: pam_unix(cron:session): session closed for user getmail
Jun 2 11:05:02 ks307144 CRON[125022]: pam_unix(cron:session): session closed for user root
Jun 2 11:06:01 ks307144 CRON[125115]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:06:01 ks307144 CRON[125115]: pam_unix(cron:session): session closed for user root
Jun 2 11:07:01 ks307144 CRON[125166]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:07:01 ks307144 CRON[125166]: pam_unix(cron:session): session closed for user root
Jun 2 11:08:01 ks307144 CRON[125217]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:08:01 ks307144 CRON[125217]: pam_unix(cron:session): session closed for user root
Jun 2 11:09:01 ks307144 CRON[125394]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:09:01 ks307144 CRON[125395]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:09:01 ks307144 CRON[125395]: pam_unix(cron:session): session closed for user root
Jun 2 11:09:01 ks307144 CRON[125394]: pam_unix(cron:session): session closed for user root
Jun 2 11:10:01 ks307144 CRON[125695]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jun 2 11:10:01 ks307144 CRON[125696]: pam_unix(cron:session): session opened for user getmail(uid=5001) by (uid=0)
Jun 2 11:10:01 ks307144 CRON[125696]: pam_unix(cron:session): session closed for user getmail
```
On voit ma tentative réussie à 10:53:45 sur l'ip 188.79.222.48 d'où j'ai fait le test.
Puis j'ai fait 5 tentatives successives rejetées à partir de 11:04:26.
On ne voit pas trace de ces rejets dans les logs entre 11:04 et 11:10 (?)
Par contre on voit 3 rejets de l'IP 188.79.222.48 par dovecot entre 11:00:39 11:02:45 sans doute causés par mon MTA qui essaie d'accéder à mes mails car cette IP ne fait pas partie de /etc/postfix/main.cf:mynetworks.
Est-il possible que le rejet Dovecot/postfix provoque le rejet SSH ?
Existe-t-il un autre moyen que /etc/postfix/main.cf:mynetworks de limiter les relais d'email (avec ma clé publique par exemple) ?
Par contre on voit 3 rejets de l'IP 188.79.222.48 par dovecot entre 11:00:39 11:02:45 sans doute causés par mon MTA qui essaie d'accéder à mes mails car cette IP ne fait pas partie de /etc/postfix/main.cf:mynetworks.
Bonjour,
Fail2ban bannit l'adresse IP, pas uniquement le port attaqué.
Dans ma conf postfix je vois:
```
grep smtpd_relay_restrictions /etc/postfix/*.cf
/etc/postfix/main.cf:smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
```
permit_sasl_authenticated ne devrait-il pas me permettre de me connecter quelquesoit mon IP ?
Question c..: SASL authenticated chez Postfix ça s'appelle comment du côté de mon MTA (thunderbird) STARTTLS ou SSLTLS ?
SASL authenticated chez Postfix
Postfix ne gère pas SASL à proprement parler, il délègue ça à un autre processus (sasl_authd par exemple)
mais pour ce qui est du mail, Postfix supporte SSL (port 465) et TLS (port 587)
Une connexion TLS démarre en clair, donc s'il n'y a aucune commande STARTTLS dans la conversation SMTP , l'authentification pourrait se faire en clair si c'est autorisé dans les paramètres du main.cf. (ou du master.cf, je ne me rappelle plus)
Oui, mais une conexion TLS valide-t-elle la condition permit_sasl_authenticated ?
conexion TLS
TLS sécurise la confidentialité de la communication.
Ce n'est pas pour autant que vous allez vous authentifier dans cette communication TLS.
Je ne pense pas pouvoir vous aider plus.