Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How do I increase the client slots on my TS3 server? Question Question
Is it possible to port forward? If so, is it allowed to host a gameserver? Question Question

Question

Bad gateway hack help

Posted July 13, 2020 634 views
Miscellaneous

I was running rocket.chat and everything was fine but then I got a bad gateway message on my site.

I checked and the status was active and green. But I got this message too
“Received disconnect from IP ADDRESS #### port ####: Bye Bye [preauth]
Disconnected from invalid user NAME IP ADDRESS #### port #### [preauth]

And this goes on and on. Any help is very much appreciated !!!!

Add a comment
workshopdebate
By:
workshopdebate

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How do I increase the client slots on my TS3 server? Question Question
Is it possible to port forward? If so, is it allowed to host a gameserver? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
KFSys July 14, 2020

Hi @workshopdebate,

It is likely that the attacker is using some custom code to brute-force the server which is ending up in malformed authentication requests being sent, resulting in the server killing the connection. So from the code it appears they are in fact trying to login, but the server doesn’t like how they’re attempting that.

As such, these log entries aren’t anything to worry about unless you think you are likely to be a targeted victim for any reason (in which case you should be taking extra precautions such as refusing password-based logins).

Anyway, I’ll suggest you install fail2ban or any other service that helps you with such attempts.

Regards,
KFSys

Reply Report
  • workshopdebate July 15, 2020

    Hi KFSys,

    Thank you so much for your quick reply! I really appreciate it and will definitely look into fail2ban!

    I did a little further investigating and learned that rocket.chat had an update and I think that the update may have broken my droplet. Also, I realized that I was wrong in my original post–my rocket.chat was not running originally but the SSH was. I got the rocket.chat fixed and it is back up and running, but do you think that what I described in my original post was not in fact, someone attempting to attack, but perhaps more so related to the update/broken deployment? Or do you think it was more likely an attacker and it was just a coincidence that the update broke the deployment?

    Thanks so much for your time and consideration! I really appreciate it!!!

    Best,
    M

    Reply Report

Related

Looking for something else?

Ask a new question Search for more help