No SSH access from external net with putty


#24

That’s a bit strange, since it has clearly been modifoed.

If you are happy to have a password-based logon, I’ll post an unmodified version for you.


#25

I agree. Thank you for your help


#26
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation sandbox

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

#Use safest ciphers and algorithms in priority
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no

This one was taken from OSMC 2017.07. I checked it over and don’t think it has been modified from the original.


#27

In fact my complete file is like this, I have not copied all the lines in my previous message.

How can i obtain your file confilg in my system. I can’t do copy past from Window to Nano sshd_config

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

#Protocol 2

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files


#28

It should be possible with shift+ins keys.

Edit: and sudo before nano.


#29

It’s less than 3 KB in side? What’s the problem?


#30

If OP has been exposing port 22 with default user/pass, it is HIGHLY LIKELY that his installation has been compromised, therefore, now his entire LAN and everything connected to it is compromised/at risk. This should be the first determination that is made here.


#31

Shift + Ins is ok to copy in nano :).
Yes i suppose my system has been hacked


#32

You should be immediately shutting this system down, closing port 22 on your router, and reinstalling from scratch. Everything connected to your router (maybe even your router) is currently at risk, if not already compromised…


#33

Port 22 is closed on my router since severals monthes, but it has been open in the past.


#34

But this is really irrelevant now. If you made none of these changes, then someone did! The system is compromised. It can never be trusted. The bad actor could have a tunnel with which he still has access to every system on your LAN.


#35

I second that. If that sshd_config file you showed in the beginning was yours, someone has messed with your system and uses it probably as a remote drone for something.
What you should definitely do, is reinstall it from scratch and secure it. That is the only way to be sure.