Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Voxera113887yI would be quite surprised if any server with a public IP did not have some penetration attempts almost every hour.
There are thousands of scripts running through ip ranges trying different common passwords and other intrusion attempts.
Just seeing a Russian IP is not very special I am afraid :/
Best defense is a good password or certificate login.
But a good long unique password is sufficient (12-18 chars minimum)
About 15 (I think) years ago there was an windows virus spreading.
Average time from switching on a new computer with public IP you had less than 8 minutes to patch it before at least one infected machine hit yours :/
That was when MS really started to take security serious and they have come a long way since. -
I generally disable the possibility to ssh in as root but as one or more other user/'s which are able to sudo su.
Most ssh "attacks" I've seen were trying to login as root which is pretty much pointless at that point -
px0622427yI always disable SSH for root and mostly don't use SSH password login for my servers. It's just not very safe, specially if the server is important.
-
from the comments I conclude there is nothing to worry about, just disable root and unusual username and I should be fine. Luckily I installed Fail2ban before it is too late.
@Electrux @gitoutofhere -.- :p -
@sslPoodle I was actually just kidding haha :)
I suppose the script kiddies that only brute force root access will be blocked with ease anyway so you could pick any name against those. -
Close the connection, disable root and password based login and setup an RSA key login thingy.
I'd recommend to (I'd do that) reinstall the server if they accesses it through root as they could leave malware on the server.
Related Rants
thought I'd type:netstat -atn on my server and the result was a bit scary, found a Russian IP address with state of: FIN_WAIT1
Either Fail2ban was closing his connection or that dude was able to access my server :/
Checked /var/log/auth.log
and found this for his IP: Failed password for root from ----- port 37635 ssh2
I hope I'm still safe :)
Instantly disable password login and make it only SSH
but now I need to carry my SSH keys or else I'm blocked out lol
undefined
wiat what
internet
scary world out there