2

I have a CentOS 7 server with 2 NICs, one inside the LAN with a private IP 192.168.1.1 (lan0) and one with a public internet IP (ppp0)

For connections originating from inside the LAN I want password or public key authentication to be available.

For connections originating from the internet, I want public key only. I've done this like so in /etc/ssh/sshd_config

PasswordAuthentication No

And then the last lines are:

Match address 192.168.1.0/24 PasswordAuthentication yes

So to test, I log on to another machine I have which, is VPS on the internet and try to ssh in. As expected I get this:

Permission denied (publickey).

But what I'm not understanding is why my /var/log/secure is filled with brute force attempts like this: (IP's changed)

Apr 22 09:57:36 linuxhost1 sshd[15149]: input_userauth_request: invalid user webmaster [preauth] Apr 22 09:57:36 linuxhost1 sshd[15149]: Received disconnect from a.b.c.d: 11: Bye Bye [preauth] Apr 22 09:57:36 linuxhost1 sshd[15151]: Invalid user webmaster from a.b.c.d Apr 22 09:57:36 linuxhost1 sshd[15151]: input_userauth_request: invalid user webmaster [preauth] Apr 22 09:57:36 linuxhost1 sshd[15151]: Received disconnect from a.b.c.d: 11: Bye Bye [preauth] Apr 22 09:57:36 linuxhost1 sshd[15153]: Invalid user webpop from a.b.c.d Apr 22 09:57:36 linuxhost1 sshd[15153]: input_userauth_request: invalid user webpop [preauth] Apr 22 09:57:36 linuxhost1 sshd[15153]: Received disconnect from a.b.c.d: 11: Bye Bye [preauth] Apr 22 09:57:36 linuxhost1 sshd[15155]: Invalid user web from a.b.c.d Apr 22 09:57:36 linuxhost1 sshd[15155]: input_userauth_request: invalid user web [preauth] Apr 22 09:57:36 linuxhost1 sshd[15155]: Received disconnect from a.b.c.d: 11: Bye Bye [preauth] Apr 22 09:57:37 linuxhost1 sshd[15157]: Invalid user william from a.b.c.d Apr 22 09:57:37 linuxhost1 sshd[15157]: input_userauth_request: invalid user william [preauth] Apr 22 09:57:37 linuxhost1 sshd[15157]: Received disconnect from a.b.c.d: 11: Bye Bye [preauth] Apr 22 09:57:37 linuxhost1 sshd[15159]: Invalid user windowserver from a.b.c.d Apr 22 09:57:37 linuxhost1 sshd[15159]: input_userauth_request: invalid user windowserver [preauth] Apr 22 09:57:37 linuxhost1 sshd[15159]: Received disconnect from a.b.c.d: 11: Bye Bye [preauth]

How were these brute force attackers allowed to even input a username?

Improve this question
3
  • 2
    Possible duplicate of options override for openssh client configuration Commented Apr 22, 2016 at 9:59
  • What is your ssh protocol ? Commented Apr 22, 2016 at 9:59
  • @Jakuje not a duplicate Commented Apr 22, 2016 at 11:41

2 Answers 2

Reset to default
2

How were these brute force attackers allowed to even input a username?

You write username on command-line (or the current is used by default). You always need to input username. You didn't block connection by this (there is firewalld or iptables for that), but only password authentication.

For people more eager in details, there is RFC4252, section 5, which describes SSH_MSG_USERAUTH_REQUEST message, which follows the key exchange. It has a fields with requested username. Either by requesting password authentication, which will be rejected, using pubkey authentication (will get rejected too, unless your key gets stolen) or none (section 5.2), which is basically request to list available methods (and should be the first one tried).

Improve this answer
8
  • Ok I will give that a try, but it does seem to work from another host as I mentioned in my OP: Verbose mode gives debug1: Authentications that can continue: publickey and Permission denied (publickey). Commented Apr 22, 2016 at 10:13
  • Ok. So it might work. Commented Apr 22, 2016 at 10:13
  • basically correct, but (1) username not needed on command line per se; (2) The default Match * is not necessary with sshd_config; non matching entries will use global configuration, (3) the relevant manual page is sshd_config (I have edited your answer) Commented Apr 22, 2016 at 11:46
  • @Otheus Yes, the relevant yes, but the quote is from the originally referenced. Never mind ... it is described also in the other ... Commented Apr 22, 2016 at 11:47
  • But Jakuje, these are two different configuration files. The quote from the sshd file is this: ` If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.` That is, the global configuration will be used for no Match, and match * is unneeded. Commented Apr 22, 2016 at 12:00
1

The public key authentication is per user. You need an username, and your key. In fact, you can actually log in to two different users on the same server using the same key.

If you're trying to ssh [email protected] (with or without a valid key), you'll also get "Permission denied", plus the error shows up in the server's log.

So, this behaviour is intentional and actually doesn't have to do anything with the public key authentication itself.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.