104
omom
6y

Da Fuck!?!
Yesterday I found some abnormal activity on my server, someone was trying to brute force my ssh as root since two days! Started raging and installed fail2ban (which automatically bans an IP if it fails to log X times and eventually sends me an email). Woke up this morning to find that a fucking Chinese guy/malware spent the whole night trying to brute Force me!
Fucking cunt! Don't you have any better to do!!
My key is a 32 characters long encrypted key, with the ban he can try 3 passwords /2 hours, good luck brute forcing it you bitch!

Comments
  • 25
    Also, in the second mail, 52.237.37.237 is a Microsoft corporate address, I'll send a mail to the abuse mail hoping that will solve it for this at least.. it's strange it try's to login with the account 'elconix' , what the fuck is wrong with you people seriously! Don't you have some shitty win11 to mess up
  • 7
    Also found that a there was a domain hooshyab.com or something pointing on my website, just why?!?!?!
  • 24
    better solution is to block SSH access unless from trusted IPs.
    Or atleast geo-lock it from the country you live in.

    Download a iptables list here:
    https://ip2location.com/blockvisito...

    change -j DROP into --dport 22 -j ACCEPT using search/replace

    remember to put fail2ban before if you still want to use it.
  • 3
    @DLMousey yeah I have a public domain + frontal website, but nothing interesting just a personal website.. moreover the whole thing is setup since 3 weeks.. still new
  • 4
    I usually create a VPN or another VM in lan, and only expose those services to the local address...

    If it's not an option, change to a non std port & reject requests from any but some trusted sources.
  • 10
    @lotd Its better to drop than reject, because with reject you tell theres something there. And better to do it via iptables rather than binding to specific interfaces.
  • 8
    What I would do is mod my ssh server to make it think it got in, capture what it typed and maybe fuck with it a bit lol
  • 6
    Lol gg inbox. I actually have had an experience with people trying to hack my ssh server. I had forwarded ports for a project in my home router so I am able to remote access it. This is all in my home, which makes me kinda wonder how did they even find the server. Anyway before forwarding my ports, I disabled root login and also added RSA {public ,private} key pair ALONG with passphrase. Now this should already be impossible as the attacker had no real information other than my ip and quite possibly my os.

    And this guy, from China I think, just tries to brute force it by trying the password list. I didn't realise till later when the log file got kinda large after a while and I found all of these messages about failed logins. I recognised the username and password lists from hydra, cause I had used it too before. Anyway I saw the pathetic attempt by that person who was most likely a script kiddie.
    Now I am not really a security expert, but I had a good laugh at that.
  • 3
    I failed to setup email sending, but just installed fail2ban and checked its logs and found two IPs from China trying to access my server >_>

    If possible I'd appreciate if someone points me to the correct way to configure sendmail for fail2ban :)
  • 2
    I also found an unbanned session from an IP in Italy >_>
    should I be worried :\
    checked active sessions and there is only one which is me. I checked sessions using: netstat -tnpa | grep 'ESTABLISHED.*sshd'
  • 6
    Bro thats completely normal?^^

    Like it's abnormal if it's less than 10 different russian adresses trying at once.😅
  • 0
    @localghost127 and what? Did you let him try again and again till when?
  • 1
    @gitpush I had sendmail configured, I just entered my destination mail + the sender mail (like fail2ban@theServerDomaineName or it will be spammed) and that's all..
  • 0
    @omom They just kinda gave up Midway. I discovered the logs a few hours that person stopped. And then I switched ports to a non standard one so my server was not as easily detectable
  • 2
    @omom strange I did the same, gonna try again and see, thanks man :)
  • 2
    it’s just what happens when your servers are accessible over the interweb
  • 2
    This is totally normal. Change the port and see 90% of that go away.
  • 2
    A few words of advice.

    1) use public key authentication.
    2) if you have to expose ssh externally, expose it on a port that isn’t port 22.
  • 2
    My NAS had daily brute force attacks before I removed it from the public internet. It banned at least 1 IP every day. It’s interesting how they find your IP.
  • 1
    This is common as bots continue non-stop. Deactivate root logins and give sudo access to your account. Bots will always attempt against root but won’t know your other account name
  • 1
    @zshh my theory is they attack dns servers and pull all of the last few queries. Maybe I am thinking too much here.
    What other source is there?
  • 2
    As dainty... did mention it. It's normal. Don't overreact. At least for a portfolio website. ;)
  • 1
    Disallow SSH as root user and su to root.
  • 1
    @zshh they run through different IP blocks testing ports until they get a hit. Which is why I disable ping on my box
  • 0
    Yeah that's what you get I'm afraid. One simple solution is to use a different port, they usually don't find that.
  • 0
    Didn't read through all comments, but change your SSH port. Something above 10000 should be ok. Like your birthday or something (For example: 5. Nov. 1990 -> 51199)
  • 0
    @sudo-wrestler Oh that’s how they do it. Cool, I never knew. Awesome nickname btw!
  • 4
    Why do you have root ssh enabled?
    Tsk tsk.

    I prefer port-knocking. Send a request on port n, and it opens sshd on port y. Connect to that with valid (non-root) username and password, and you're in.

    No way to automate attacks without serious guesswork or sniffing.
  • 1
    favorited this rant
  • 0
    Same with my ssh. 15 - 90 unique IPs banned daily even there is no password auth.
  • 0
    @Root do you log in as root? 😁
  • 0
    @omom haha, my server gets attacked every day
  • 0
    I didn't know fail2ban had an email feature? Is it just an option in the conf?
  • 1
  • 2
    @omom there are bot who just try random ips until they find one responding on port 22. then they add it to a list where a second bot (or workers in a botnet) start to bruteforce it.

    About the domain pointing to your server: probably you have a VPS, right? So the guy who had that ip previously, probably forgot to update the dns settings of that domain but is still paying for it. (Like yeah I don't need it currently, but better keep that domain, if I need it once again. Hmm update dns, nah, I'll just shut down the server....)
  • 1
    @Wack ohhh it should be that! You might be totally right! Thank you I finally understand that domain story haha! Thanks
Add Comment