18

Someone is trying to launch a brute force attack on one of my servers that I set up for an old project. According to the logs, they've tried Jorgee, they've tried directly accessing the MySQL database (with the laziest passwords), and they're now on day 4 of their brute force attack against my SSH server. I'm fairly certain that they won't be getting in (not that there's anything worth getting in the first place), but what's the standard protocol for this? Do I just wait this out, or is there something I can do to break their bot? I have fail2ban enabled, and it is doing its job, but the attacker is changing their IP address with every attack.

Comments
  • 3
    Most importantly: don't let your MySQL-Server listen to 0.0.0.0, but only locally.
  • 2
  • 2
    📍
  • 2
    This is possibly someone trying to see if your server is an IoT device and trying known passwords for those devices.
  • 1
    How that hell, they get so many ip addresses to use ?
  • 1
    @babanomania Cycling on a VPN most likely
  • 2
    I eventually identified the attack as being from the ZmEu vulnerability scanner. I have password logins disabled for SSH, and the database has been cleared (the service hadn't even gone live, so I didn't lose anything) and set to only accept local connections.
  • 1
    I use nftables to rate limit the logins for ssh, if you get concerned, lock down the server:
    - only local mysql (just close the port)
    - allow only keys for the logon
    - if the bruteforce is producing critical load, change the standard response for all ports to drop.
  • 3
    @vortexman100
    * Change the standard response for all ports to drop _after_ you allowed port 22 😂
    Should be obvious, but as I was a noob in Linux I lost my lovely vps because of this 😂😂
  • 1
    Another suggestion is to use APF (super easy iptables configuration with advanced features) I've had the majority of issues taken care of with it.
Add Comment