Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
wiwe22106146yBotnet trying to expand...
I once hooked up a raspberry and forgot to update login info 2 hours later I was blocked by my internet provider because the pi was used for brute force attacks -
Well given that the failed logins came from China while you log in from Nigeria, I think it's a hacking attempt. Probably from a Chinese bot that noticed you have the SSH port open.
-
Fail2ban. Also, switch to RSA authentication and completely disable password based authentication.
-
bahua128016yUse only public key Auth, disable root logins over ssh, consider using a nonstandard port for ssh, and don't be too hasty to implement an expensive(cpu/mem) IP-based solution.
-
that's normal... usually within 5 minutes after go live your server is indexed by an bot crawler. As the others said use fail2ban.
-
Well... there're lots of Fail2ban recommendations here and i will definitely try it out... Thanks guys. I just can't take it anymore.
-
Npstr6576yAlso worth considering moving the ssh port off the default one, that will stop most crawlers since it's not worth checking the whole port range.
If you're feeling adventurous, set up port knocking. -
Usually you should have some form blacklisting from fail2ban etc. If you want to manually ascertain the nature of the intrusions, look in /var/log/auth.log and check out the ips. Most probably you'll not find much there, because the attacks will be proxied..
If you feel it's a random botnet etc, then you're safe enough by disabling root account, passwd based auth and activating fail2ban.
If you however feel you're are being targeted by an individual, enable whitelisting to only allow your devices having your ssh pvt key based authentication on a separate port like 6235 (not 20-23 or 80/443 or 2222 , 8888 these are scanned on light scans, and running ssh on a separate port can be detected).
If you are at work and need access from many devices, you may use ip ranges to whitelist.
It's a good habit to read and understand the logs in situations like this, and understand why you're being specifically targeted.
This article may provide some insight, amongst others:
https://bit.ly/2CSN8a0 -
karelian3686y
-
Jacobgc9096yAny Machine with ssh open is going to get flooded with attempts. Welcome to the real world
-
Either fail to ban or Knockd which basically blocks your ssh port unless you unblock it by making requests to your server using a specified pattern of ports, then it automatically blocks it again which means for the world your ssh doesn't exist
-
Mine has ssh open too on 22 and 443 but has no attempts? It's a Digitalocean droplet. Any ideas why.
-
@phreakyphoenix I have a raspi 3 running as Home Server with port forwarding enabled to serve a website to a public domain. And several vultr vps servers. All of them running for mostly 2 years. Without fail2ban, default ports, root login enabled, no RSA and all the other unrecommended shit.
But no fucking hacking attempt. Not even a single one. That is just crazy. -
@phreakyphoenix can i whitelist ports for a single country using Fail2ban? because i noticed that most of the detected attempts are from foreign countries. According to @Fast-Nop this last serial attempt was from china.
-
@GiddyNaya You can achieve that in a variety of ways, with various levels of complexity.
https://superuser.com/questions/...
This uses iptables and geoip. -
@GiddyNaya Changing the port is so simple, it's literally changing a line in sshd_config. You can also change the ssh profiles in your devices if writing the -p PortNo is too much trouble.
WTF! over 5000+ attempts in less than 3 hours. Some bitch trying to hijack me machine!
Am i the only one experiencing this shit?
rant
server hijacking