17

Despite appearances, I am not happy. I decided to check my server logs today and there were 700 thousand dollars fucking ssh failed password attempt entries. From what I could tell, while there were tons of different ips, they all were from china. It really bothers me that someone is trying to brute force username password combinations on my server (and undoubtedly others too).

Sigh... I guess it’s geo-ip filter time!

Comments
  • 13
    SSH keys, fail2ban, knockd and geo bans should do the trick.
  • 2
    @Kimmax Bots still send passwords to my key-auth only SSH servers and fet rejected for it.
  • 4
    Look on the bright side. You're popular!
  • 1
    @Kimmax good suggestions! For now I just have the geo filter but I’ll consider the others when I get the chance
  • 3
    Or a firewall with possibly a vpn
  • 1
    @kescherRant Bugs me that people have bots doing this to begin with. Do you think they just want access to servers to mine bitcoin on or something?
  • 1
    @alexbrooklyn got the firewall part at least
  • 1
    @FelisPhasma Yeah, or to put ransom on the servers.
  • 6
    @FelisPhasma possibly, that's why the internet is such a dangerous place and people should not have open ports for cpanel or phpmyadmin facing the fricking internet

    I have the Shodan browser extension and holy crap, I had no idea so many databases and admin panels were publicly available for the world to see

    Now I make sure all my servers only allow port 22, 443 and 80 open, plus I only allow public key authentication
  • 2
    If it really bothers you, change your port to another number but you know you should only be afraid if you have no ssh key.
  • 4
    What you need is a friend in China who can go and knock on the door of the IP address and see what they are up to.

    Could just be some poor persons infected machine, or could be part of a giant warehouse filled with machines intent on probing the rest of the world for security holes..

    I'm reminded some years ago a company had a big problem with this kind of thing, and they thought I was joking when I suggested they just hire mercenaries to take care of the issue..
  • 3
    @Nanos I don't see the problem, if you have the smallest bit of security the only thing what will happen is that you burn a bit of bandwidth. If you enable fail2ban that problem is also solved.
  • 1
    @alexbrooklyn great extension!
  • 4
    Welcome to the internet. I've had the same, and also ips from Russia. Afaik I've never been compromised with a good firewall and locked down SSH. Hang in there, it'll only get worse.
  • 0
    @Nanos well, if you know any Chinese mercenaries I’m all ears!
  • 1
    @Jifuna

    I've had issues in the past with a lot of bandwidth being taken up with attacks.

    One I did find out who was behind it and asked nicely in their public forum if they could stop, which they did.
  • 1
    @FelisPhasma

    They don't have to be in China. :-)

    Some even have their own frigates..

    I'm currently out of touch with such folk, they have an alarming tendency to die!

    As such, I don't know any that are currently alive.
Your Job Suck?
Get a Better Job
Add Comment