This particular attack made 142 separate attempts with various names and passwords. All failed, but it is annoying to keep seeing someone trying to break in, even if they don't succeed.Nov 26 10:24:26 myserver sshd: Illegal user staff from ::ffff:18.104.22.168 Nov 26 10:24:30 myserver sshd: Illegal user sales from ::ffff:22.214.171.124 Nov 26 10:24:34 myserver sshd: Illegal user recruit from ::ffff:126.96.36.199 Nov 26 10:24:37 myserver sshd: Illegal user alias from ::ffff:188.8.131.52 Nov 26 10:24:44 myserver sshd: Illegal user office from ::ffff:184.108.40.206 Nov 26 10:24:49 myserver sshd: Illegal user samba from ::ffff:220.127.116.11 Nov 26 10:24:55 myserver sshd: Illegal user tomcat from ::ffff:18.104.22.168 Nov 26 10:24:58 myserver sshd: Illegal user webadmin from ::ffff:22.214.171.124 Nov 26 10:25:02 myserver sshd: Illegal user spam from ::ffff:126.96.36.199 Nov 26 10:25:06 myserver sshd: Illegal user virus from ::ffff:188.8.131.52 Nov 26 10:25:11 myserver sshd: Illegal user cyrus from ::ffff:184.108.40.206 Nov 26 10:25:14 myserver sshd: Illegal user oracle from ::ffff:220.127.116.11 Nov 26 10:25:18 myserver sshd: Illegal user michael from ::ffff:18.104.22.168 Nov 26 10:25:20 myserver sshd: Illegal user ftp from ::ffff:22.214.171.124 ...
The article will show you, step-by-step, how to set up such a system that will allow you to log in to remote SSH servers without a password. Because there are subtle differences between systems, I am going to give instructions for the following case.
The 'strength' of a key is related to the numbers of bits in it, and the type of algorithm used to generate it. The number of bits in the key is specified with the -b switch and the algorithm type with the -t switch. We will generate a very secure 4096 bit key of the RSA type with the command:
ssh-keygen -b 4096 -t rsaIssue this command in a Cygwin window. You'll get the following sequence in response.
Generating public/private rsa key pair. Enter file in which to save the key (/home/cyguser/.ssh/id_rsa):If you hit enter above, the key (or the 'identity' as it is called) will be placed in a file called id_rsa in the directory /home/cyguser/.ssh on your machine. I chose to give the key a different name and location at this point, so I entered /home/cyguser/.ssh/mykey_id_rsa. Note that I had to specify the full path as well as the new name of the key file.
Enter passphrase (empty for no passphrase):You need to enter a passphrase for your key. This - like a normal password - should be memorable for you but not easily guessable. The usual rules of good password choice apply.
Enter same passphrase again:Enter the same passphrase again to make sure you haven't made a mistake typing it.
Your identification has been saved in /home/cyguser/.ssh/mykey_id_rsa. Your public key has been saved in /home/cyguser/.ssh/mykey_id_rsa.pub The key fingerprint is: 88:73:35:64:2b:99:a5:bb:4e:8e:32:8e:4e:ba:a0:74 cyguser@machinenameThis tells you where your new keys are, as well as the fingerprint, which is a condensed code you can use to find or check a key. No need to worry about that at this stage.
If you look in the directory /home/cyguser/.ssh at this point you'll see two new files, mykey_id_rsa and mykey_id_rsa.pub. The one ending in .pub is your public key, and is the one you will distribute to other machines, etc. The mykey_id_rsa file with no extension is your secret key (or 'identity') and must be guarded carefully. Absolutely do not distribute it or allow anyone else access to it.
The public key file mykey_id_rsa.pub should be copied from your client machine to the .ssh directory of the user account you would like to access on the remote machine. For example, if you would like to use your key to access the account of user richard on the remote machine, copy the public key file to the directory /home/richard/.ssh.
The copied file has to be renamed at the remote machine. Instead of mykey_id_rsa.pub it has to be called authorized_keys2. If the authorized_keys2 file does not already exist in the remote directory, simply copy the file and rename it. If there is already an authorized_keys2 file, you need to append the new key information to it rather than overwriting it.
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys ChallengeResponseAuthentication noThe AuthorizedKeysFile line tells SSH where to look for the public keys it needs, and ChallengeResponseAuthentication tells it to no longer allow authentication with a password (also known as 'challenge-response').
After you have modified the sshd_config file, be sure to restart the SSH server with /etc/init.d/ssh restart.
Here's the conventional prompt you will see if you are authenticating using a password (the normal method, in other words).
ssh -l richard myremote.machine.net Password:Try the same command again, but now your attempt should be rejected.
ssh -l richard myremote.machine.net Permission denied (publickey).If you don't see this, but instead are still allowed to log in using the password as before, it is likely you forgot to set ChallengeResponseAuthentication to 'no' in sshd_config, and/or restart SSH after making the change to the configuration.
Our new login command is:
ssh -i ~/.ssh/mykey_id_rsa -l richard myremote.machine.netand now we will be asked to authenticate using the password we chose earlier when we generated the key.
ssh -i ~/.ssh/mykey_id_rsa -l richard myremote.machine.net Enter passphrase for key '/home/cyguser/.ssh/mykey_id_rsa':If you enter the passphrase, you'll be logged in as normal.
It turns out we can use WinSCP with keys just as well as with passwords, although there is a little more work to do because the format WinSCP uses for its keys is different from that used by OpenSSH. In fact, this is more a problem with SSH Version 2 than anything else, and has to do with the lack of a standard for the way keys can be stored.
WinSCP stores its keys in a different format to that used by OpenSSH. Because of this, we have to import our SSH keys into WinSCP and then export them again in 'WinSCP' format. This is done using the PuTTY Key Generator, PuTTYgen, which will have been installed along with WinSCP if you performed a full install using an installation package.
To convert a key to WinSCP's format, start PuTTYgen and select Import key from the Conversions menu. Locate the file containing your private key: in our example this is the file mykey_id_rsa in the directory /home/cyguser/.ssh. PuTTYgen will then ask you for the passphrase for the key. If you give it correctly, the key will be imported and you will it displayed in the main PuTTYgen window. At this point it is a good idea to change the 'Key comment' field to something a little more meaningful than 'imported-openssh-key'. I give a short hint about the key and its purpose, for example, 'My work key' or something equally descriptive.
To write out the new key in WinSCP/PuTTY format, press the Save private key button. Although you can choose any name for the new file at this point, I usually give it the same one as the original key, since PuTTY will give it a different extension anyway (.ppk). Once this is done you can close the PuTTYgen program.
If you now look at the contents of the /home/cyguser/.ssh directory you will see a new file, mykey_id_rsa.ppk, which is the WinSCP-compatible private key file.
The key agent program is called Pageant, and we will want to add our newly-converted key, mykey_id_rsa.ppk, to it.
If Pageant is not running, start it. If it is running, there should be a little 'computer with a hat' icon in your tray. Double-click it to open the Pageant Key List window. In this window will be shown the other keys you may have added previously, if any. To add your new key, press the Add Key button, navigate to and select the key file mykey_id_rsa.ppk, You will once again be asked for the passphrase associated with the key. If entered correctly, the key will be added to the list, with its comment visible at the end. You can see why changing the comment from the default is a good idea, as it helps you easily see if Pageant has the right key(s) available for use.
Once you have made and saved your profile, try and use it to login. It should be successful, and if so, welcome to a new level of security and convenience for your SSH connections!