I'm not running any special server OS, just the default MacOS 10.15 SSH daemon, with port 22 forwarded.
I looked in my system.log and found these entries during the middle of the night (when no known user was using the system):
Dec 26 01:51:39 com.apple.xpc.launchd[1] (com.openssh.sshd...) Service exited with abnormal code: 255
Dec 26 01:51:56 com.apple.xpc.launchd[1] (com.openssh.sshd...) Service exited with abnormal code: 255
Dec 26 01:52:04 com.apple.xpc.launchd[1] (com.openssh.sshd...) Service exited with abnormal code: 255
Dec 26 01:52:13 com.apple.xpc.launchd[1] (com.openssh.sshd...) Service exited with abnormal code: 255
Dec 26 01:52:20 com.apple.xpc.launchd[1] (com.openssh.sshd...) Service exited with abnormal code: 255
... > 800 more
Is this the trace of a brute force attempt? How can I secure against brute force attempts with the vanilla MacOS SSH daemon?
答案1
This log message typically shows up when sshd denies a connection. You're probably seeing unauthorized users trying to brute force their way in by trying common usernames and passwords. There used to be a log entry from sshd itself telling you the IP address and username attempted, but Apple has decided to replace standard UNIX logging in sshd.
I suggest that you port-forward some other port from the router, for example router port 2222 forwarded to 22, and close port 22 of the router.
You should examine carefully all open ports on the router (GRC ShieldsUP! is a good tester). As you are under attack, don't use trivial passwords or standard user names for SSH.
答案2
Fail2Ban can frustrate brute force attacks.
A more comprehensive solution is to stop forwarding SSH and install a VPN server. To reach the SSH connection externally people need to first connect over VPN. This is a more complex but also more robust and flexible model.
As others have said requiring passphrases helps (also disallow root logins) but won't stop these messages . (Although I'm not a fan, changing the port can help a bit as well)