Comments (29)
Thanks for the report @pascalandy and sorry for such a late reply, but f_firewall
is present as function f_firewall
in https://github.com/konstruktoid/hardening/blob/master/scripts/02_ufw. Regarding the naming; functions can't be numbers, since it's not a valid identifier.
Please increase MaxAuthTries
(https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L25-L29) and see if the problem persists.
from hardening.
Alright, I thought this project was creating a new user somewhere along the line. So all my
Authorized users only. All activity may be monitored and reported.
Received disconnect from 123.123.123.12: 2: Too many authentication failures
maybe due to the fact I was using root :-p Will let you know !
from hardening.
Looks like https://github.com/konstruktoid/hardening/blob/master/ubuntu.sh#L24 should call https://github.com/konstruktoid/hardening/blob/master/scripts/02_ufw
Curious to know why the names are different.
from hardening.
I'm actually provisioning new machines.
I think you should use branches to develop feature and ensure master is always your golden copy :)
from hardening.
Same error.
Authorized users only. All activity may be monitored and reported.
Received disconnect from 123.123.123: 2: Too many authentication failures
I also saw few error when the scripts started:
[12] /etc/hosts.allow and /etc/hosts.deny
[13] /etc/issue
[14] /etc/login.defs
[15] /etc/sysctl.conf
./scripts/13_sysctl: line 12: /sys/module/nf_conntrack/parameters/hashsize: No such file or directory
[1] /etc/security/limits.conf
[2] /etc/adduser.conf and /etc/default/useradd
[3] root access
[4] Installing base packages
./scripts/17_packages: line 4: dmidecode: command not found
./scripts/17_packages: line 8: dmidecode: command not found
Selecting previously unselected package acct.
(Reading database ... 25242 files and directories currently installed.)
Preparing to unpack .../acct_6.5.5-2.1ubuntu1_amd64.deb ...
Unpacking acct (6.5.5-2.1ubuntu1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu19) ...
Setting up acct (6.5.5-2.1ubuntu1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
It's sad as I would love to use your template. I really enjoy the way you organized this project. Keep up the good work.
Cheers!
from hardening.
Hi again @pascalandy, I find it odd you're missing nf_conntrack/parameters/hashsize
and dmidecode
. Could you provide more details about the machines you are provisioning?
And regarding branches; you're absolutely right, I've just been lazy when it comes to my own repositories. Will start a develop branch right away.
from hardening.
Using the Vagrantfile for testing, I'm not having any issues with nf_conntrack/parameters/hashsize
or dmidecode
on Xenial, Zesty, Yakkety or Artful.
from hardening.
I know there is always little subtle differences between cloud providers that break my scripts. I'm not using Ansible or Terraform at this point.
As I said, I provision bare-metal server on packet.net (type 0). If you want, I would be glad to do a live session with. We we could provision machines on the spot and test till we find the issue.
I use a standard Ubuntu 16.04 fresh install each time. Packet is known to have fresh images.
from hardening.
Adding test if nf_conntrack/parameters/hashsize
or dmidecode
are missing.
Just to verify, can you check if the nf_conntrack
kernel module is loaded?
from hardening.
Tests added and dmidecode replaced with dmesg; e5d51ab
from hardening.
Not sure if I should do something here.
from hardening.
Any failures after e5d51ab?
And nf_conntrack/parameters/hashsize
is only present if the nf_conntrack
module is loaded.
from hardening.
OK will try !
from hardening.
Same error. Btw I use root to login. Is it ok?
> ➜ _infra git:(2.05) ssh root@$IP_PUBL_NODE_21 -p22;
Authorized users only. All activity may be monitored and reported.
Received disconnect from 123.123.123.12: 2: Too many authentication failures
Disconnected from 123.123.123.12
from hardening.
No, root
is not allowed to log in.
https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L11
from hardening.
Ok. In this case, which user should I use?
from hardening.
It's all about how you provision your servers, root
should never be allowed to login and can be locked (https://github.com/konstruktoid/hardening/blob/master/scripts/36_lockroot), create a user and use sudo
to gain superuser privileges instead. If not possible, change PermitRootLogin
to yes
in the sshd-config file and unlock the root
user.
from hardening.
in /etc/ssh/sshd_config I changed update PermitRootLogin no to PermitRootLogin yes
and I'm still locked down.
EDIT: I also tried to bypass https://raw.githubusercontent.com/konstruktoid/hardening/master/scripts/36_lockroot
same result.
from hardening.
Does it work if you create a normal user and try to connect?
from hardening.
I did start to create a user but then many thing breaks ... At this point I can't confirm.
from hardening.
What did break?
from hardening.
Since the root
user shouldn't be allowed to remotely access a system or be used as a normal user, there are multiple configurations that need to be changed, eg:
https://github.com/konstruktoid/hardening/blob/master/scripts/16_rootaccess#L4
https://github.com/konstruktoid/hardening/blob/master/scripts/18_sshdconfig#L11
https://github.com/konstruktoid/hardening/blob/master/scripts/36_lockroot#L4
from hardening.
What did break?
Mostly my existing scripts, ssh keys.
from hardening.
I see the 3 lines you point out are SEDs.
Should I just delete those lines and root
will stays untouched
from hardening.
Without logs it's pretty tricky to pinpoint the exact cause of the failures.
I believe so, but consider not using the root account at all.
from hardening.
I'm OK with using root at the moment. Fully aware that I must move on with a new another user in the future.
I'll try #5 (comment)
from hardening.
Closing due to inactivity.
from hardening.
I faced a similar issue and I dont login with root but with another custom user using certificate based login.
SSH has a default behaviour of trying through all ssh keys present as part of your default ~/.ssh/
folder before trying the one passed using -i
option. This tweet explains the issue and also has a solution which was helpful for me in solving the problem.
Posting it here just in case if it helps anyone else who faces a similar issue as myself in future.
Link: https://twitter.com/podalirius_/status/1422123401855049730
from hardening.
Thanks @rams3sh!
ssh -i ./keys/id_rsa [email protected] -v -o IdentitiesOnly=true
is the TL;DR
from hardening.
Related Issues (20)
- Login Loop HOT 5
- [BUG] Missing `/usr/sbin` in `PATH` results in `acct` log rotation failure in `/etc/cron.daily/acct` HOT 3
- [BUG] logrotate fails with `duplicate log entry for /var/log/{wtmp,btmp}` error HOT 3
- [BUG] HOT 3
- [BUG] fstab gets replaced with only a few lines HOT 3
- jenkins installation issue on linux ec2 HOT 4
- How is this issue related to this repository?
- Question: su: Permision denied HOT 1
- Documentation: functions in documentation does not reflect actual functions in the code HOT 2
- [BUG] run the runTestHosts.sh fails with error HOT 3
- [BUG] IPv6 Error HOT 2
- Increase /var partitions HOT 1
- [BUG] ping not available on minimized 22.04.2 installation. HOT 3
- apt-get update HOT 1
- [BUG] dpkg Errors after Executing the Hardening Script HOT 2
- [BUG] Missing dot HOT 1
- [Question] UFW firewall rules. HOT 1
- Nginx dont show web after hardening HOT 8
- After running the hardening script, we are unable to log in with the root user credentials HOT 8
- git clone is different HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hardening.