75

WTF! over 5000+ attempts in less than 3 hours. Some bitch trying to hijack me machine!
Am i the only one experiencing this shit?

Comments
  • 26
    Botnet trying to expand...

    I once hooked up a raspberry and forgot to update login info 2 hours later I was blocked by my internet provider because the pi was used for brute force attacks
  • 8
    Well given that the failed logins came from China while you log in from Nigeria, I think it's a hacking attempt. Probably from a Chinese bot that noticed you have the SSH port open.
  • 32
    Fail2ban. Also, switch to RSA authentication and completely disable password based authentication.
  • 16
    Use only public key Auth, disable root logins over ssh, consider using a nonstandard port for ssh, and don't be too hasty to implement an expensive(cpu/mem) IP-based solution.
  • 5
    Also, set a PS1!
  • 8
    that's normal... usually within 5 minutes after go live your server is indexed by an bot crawler. As the others said use fail2ban.
  • 6
    Fail2ban!! Works like a charm for me
  • 5
    Well... there're lots of Fail2ban recommendations here and i will definitely try it out... Thanks guys. I just can't take it anymore.
  • 7
    And for god's sake, dont use the root account.
  • 8
    Disable the root account login, seriously.
  • 4
    @tokumei I never thought about that
  • 5
    Only 5.5k in 3 hours? try 8k in 1.5hours WITH fail2ban :^)
  • 2
    That ip leak btw :3
  • 8
    Also worth considering moving the ssh port off the default one, that will stop most crawlers since it's not worth checking the whole port range.
    If you're feeling adventurous, set up port knocking.
  • 4
    Usually you should have some form blacklisting from fail2ban etc. If you want to manually ascertain the nature of the intrusions, look in /var/log/auth.log and check out the ips. Most probably you'll not find much there, because the attacks will be proxied..
    If you feel it's a random botnet etc, then you're safe enough by disabling root account, passwd based auth and activating fail2ban.
    If you however feel you're are being targeted by an individual, enable whitelisting to only allow your devices having your ssh pvt key based authentication on a separate port like 6235 (not 20-23 or 80/443 or 2222 , 8888 these are scanned on light scans, and running ssh on a separate port can be detected).
    If you are at work and need access from many devices, you may use ip ranges to whitelist.
    It's a good habit to read and understand the logs in situations like this, and understand why you're being specifically targeted.
    This article may provide some insight, amongst others:
    https://bit.ly/2CSN8a0
  • 3
    Add port knocking to the setup for heightened levels of paranoia.

    https://serverfault.com/a/690738
  • 2
    Any Machine with ssh open is going to get flooded with attempts. Welcome to the real world
  • 4
    Either fail to ban or Knockd which basically blocks your ssh port unless you unblock it by making requests to your server using a specified pattern of ports, then it automatically blocks it again which means for the world your ssh doesn't exist
  • 1
    Mine has ssh open too on 22 and 443 but has no attempts? It's a Digitalocean droplet. Any ideas why.
  • 2
    @phreakyphoenix I have a raspi 3 running as Home Server with port forwarding enabled to serve a website to a public domain. And several vultr vps servers. All of them running for mostly 2 years. Without fail2ban, default ports, root login enabled, no RSA and all the other unrecommended shit.
    But no fucking hacking attempt. Not even a single one. That is just crazy.
  • 0
    No logging + only allow connections using SSH keys. Works great for me.
  • 1
    @phreakyphoenix can i whitelist ports for a single country using Fail2ban? because i noticed that most of the detected attempts are from foreign countries. According to @Fast-Nop this last serial attempt was from china.
  • 1
    Created new sudo user and disabled root ssh access... I just hope this is enough... :D
  • 2
    @GiddyNaya You can achieve that in a variety of ways, with various levels of complexity.
    https://superuser.com/questions/...
    This uses iptables and geoip.
  • 1
    @GiddyNaya Changing the port is so simple, it's literally changing a line in sshd_config. You can also change the ssh profiles in your devices if writing the -p PortNo is too much trouble.
  • 0
    Or you have a cron with and old password you forgot anout.
  • 0
    Fail2ban should be your best friend
Add Comment