Is someone trying to hack into my server? What can I do?

server ssh iptables

13,589

Solution 1

From what you describe, it looks like an automated attack on your server. Most attacks are, unless the attacker knows you personally and is holding a grudge...

Anyway, you might want to look into denyhosts, which you can get from the usual repos. It can analyse repeated attempts and will block their IP address. You may still get something in your logs, but it will at least help mitigate any security concerns.

As for getting more information, I really wouldn't bother. Unless they're an amateur, they'll be using a remote server to do their dirty work which will tell you nothing about who they really are. Your best bet is to find the admin for the IP range (WHOIS is your friend here), and let them know that you're getting a lot of access attempts from that IP. They may be good enough to do something about it.

Solution 2

You don't want to see this failed login attempts in your logs so you should filter this IP in the network.

If you have own router or hardware firewall (not the one on the server) use it to block this IP. You can also ask your internet provider to block it.

If the server is VPS then ask your VPS provider to block this IP. In most cases they will not reject your request for help, cause it costs them nothing.

Attacks from single IP can be easily mitigated compared to attack coming from many different IPs. To protect against distributed attack you need special service from network provider which you have to pay. On server level you can fight with Denyhosts or Fail2ban. Fail2ban protects not only ssh but other services. It uses a little more memory. Fail2ban use iptables to block IPs and DenyHosts use the file hosts.deny, both use logs to find malicious attempts. You can also configure iptables for rate limiting ssh attempts which does not rely on logs.

13,589

user2936314

Updated on September 18, 2022

Comments

user2936314 almost 2 years
A few weeks ago I posted a question here about some ssh issues I was having with an Ubuntu 12.04 box. Fast forward to today and I am trying to allow someone else access to the machine, but they keep getting password errors. I checkout out var/logs/auth.log for more info, and found this:
```
May 11 19:45:33 myserver sshd[9264]: Did not receive identification string from 211.110.xxx.x
May 11 19:45:38 myserver sshd[9267]: Did not receive identification string from 211.110.xxx.x
May 11 19:45:44 myserver sshd[9270]: Did not receive identification string from 211.110.xxx.x
May 11 19:45:49 myserver sshd[9274]: Did not receive identification string from 211.110.xxx.x
```
I have almost 10000 lines that all seem to say more or less the same thing (there are also 4 auth.log.gz files, which I'm assuming are more of the same?). Sometimes there is a random username attached to the request, input_userauth_request: invalid user bash [preauth]

I don't know much about servers, but it looks like someone is trying to gain access to mine.

Googled around for how to block an IP address in Ubuntu and ended up with this: iptables -A INPUT -s 211.110.xxx.x -j DROP, but after running that command and checking the logs, I'm still getting requests from this one IP every 5 seconds.

How can I find out more about what's going on and deal with these constant requests?
- Admin about 10 years
  
  Denyhosts is great but note that it is a dead project :( you should look into using iptables askubuntu.com/questions/433924/…
user2936314 about 10 years

I added denyhosts and now the logs show refused connect from...., but I am curious if getting these nonsense requests every 5 seconds could be an issue for server performance later? How do I know if I have access to an upstream router? I just have root access
Drac Noc about 10 years

Getting a request from one IP every 5 seconds isn't going to impact your performance by any significant measure.
unhammer about 10 years

For servers that are exposed to the net (well, for any ssh servers really) you should set PermitRootLogin no and PasswordAuthentication no in /etc/ssh/sshd_config
user2936314 about 10 years

Is there a way to stop logging from this IP from within my machine?
Drac Noc about 10 years

It's not a good idea to filter your logs. You never know, they might get lucky and you'll want a full written history of what happened.
vladiz about 10 years

@user2936314 Not a good idea really, you better change the ssh port. Changing the port isn't the perfect solution, but you will get rid of many bots. Some of them are more intelligent and scan for open ports. I had the same problem and fail2ban was blocking 20 IPs per day. After changing the ssh port I observe significant decrease of malicious ssh attempts
user2936314 about 10 years

You guys are all awesome. Recommended reading for intro to ubuntu server admin? I'm reading The Linux Programming Interface, but it doesn't look like this sort of stuff is covered much
vladiz about 10 years

@user2936314 Check the official documentation, the server guide for Ubuntu 12.04 or whichever version you need.
user2936314 about 10 years

I thought about this case when I first noticed the logs. I checked with the person I know was trying to access the machine and his IP didn't match the one in the logs. I know he also hasn't been trying to get in every 5 seconds for days. Good point about dynamic ips though, I'm a bit worried using denyhosts that I'm going to end up locking myself out if/when my IP changes. Looks like my weekend will be spent going through this[askubuntu.com/questions/2271/how-to-harden-an-ssh-serve‌r] and the docs
David Foerster over 9 years

(1) merely obscures access routes, but doesn't secure them. (2) is illegal in most jurisdictions. (3) is risky, because misconfiguration does happens and privilege escalation vulnerabilities may exist, and probably pointless, since most attacks are automated to run on ranges of IP addresses, as you point out yourself.