SSH brute force attacks
#1
Hello,

If I setup a SSH connection simply using the password, with a numerical passwordof 8 digits it will be very easily crackable right? If I let port 22 open on the pine phone, and I connect to another wifi than my lan, or to 4g, will my device be vulnerable to brute force attacks?
  Reply
#2
There is a risk, no doubt.
Nevertheless you could mitigate it using a firewall (don't allow ssh via interface "wwan*") and/or fail2ban.
If you need ssh only when connected w/ home WiFi, you could work with hosts.deny, see https://www.recitalsoftware.com/blogs/17...r-username . This approach leaves your ssh open when connected to another WiFi which uses the same IP range.
You could also stop the ssh service when not required.
  Reply
#3
(06-19-2022, 05:27 AM)jsch Wrote: There is a risk, no doubt.
Nevertheless you could mitigate it using a firewall (don't allow ssh via interface "wwan*") and/or fail2ban.
If you need ssh only when connected w/ home WiFi, you could work with hosts.deny, see https://www.recitalsoftware.com/blogs/17...r-username . This approach leaves your ssh open when connected to another WiFi which uses the same IP range.
You could also stop the ssh service when not required.

Thanks, I will evaluate those solution, howto know if I have been hacked that way?
  Reply
#4
I set mine up so only key-based login is accepted, and (via the firewall) only from RFC1918 addresses. (I have IPV6 completely firewalled off since I currently have no need to use it.)

If someone breaks in and just pokes around that can be difficult to detect. You can check your logs for suspicious entries. The default setup in Mobian is for systemd logs rather than traditional text logs, so they need to be viewed with journalctl. (Also once someone gets in and they gain root access they can purge the log.)

https://betterstack.com/community/guides...ournalctl/

There is also software available to detect root kits if someone breaks in and installs malware.

https://vitux.com/how-to-scan-a-debian-s...-rkhunter/

https://www.tecmint.com/scan-linux-for-m...-rootkits/
  Reply
#5
This is covered in the mobian wiki.

https://wiki.mobian-project.org/doku.php...o:security
  Reply
#6
(06-20-2022, 01:42 AM)wibble Wrote: This is covered in the mobian wiki.

https://wiki.mobian-project.org/doku.php...o:security

Indeed, I tried that but sure I made something wrong.
All those commands of "Using SSH with a key instead of password" are to be made on the pp, or some in the pc?
  Reply
#7
(06-20-2022, 03:42 AM)user641 Wrote: Indeed, I tried that but sure I made something wrong.
All those commands of "Using SSH with a key instead of password" are to be made on the pp, or some in the pc?

You generate the keys on your PC and copy them to the Pinephone - are you running Linux, or is it Windows using something like putty as an ssh client? The method of generating keys is going to be different depending your operating system. If you're running Linux here are some simple step-by-step instructions:

https://www.ibm.com/support/pages/config...t-password

(The above is for Red Hat but should be the same for virtually any Linux distribution you have running on your PC.)
  Reply
#8
I see now how those instructions could be confusing if you're not already familiar with ssh. You need to generate the public/private key pair on whichever machine you want to ssh from (your desktop, laptop etc.) then copy the public key into the user's ~/.ssh/authorized_keys file on the phone. The example uses ssh-keygen to generate the keys, and ssh-copy-id to copy it via the existing (password based) ssh route. This assumes you're using linux or other *nix-compatible system where these commands are available - I think this may also include WSL/WSL2 on Windows but I don't have experience with that. PuTTY does things a bit differently IIRC - it's some years since I used it, but I remember a web search finding suitable instructions fairly easily. That may be helped by already knowing what I was looking for though. Once you've configured the use of keys it should 'Just Work' so you can test it before changing anything on the server (phone) end. Once you now it's working you can change the /etc/ssh/sshd_config on the PinePhone to disable PasswordAuthentication and optionally change the port, then restart the server so it uses the new settings.
  Reply
#9
I am using linux, I see I made a lot of mistakes trying to do that. I generated the keys on my phone lol
  Reply
#10
I've updated the wiki entry - please report back if it's still confusing or you find anything wrong.
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)