I was running rocket.chat and everything was fine but then I got a bad gateway message on my site.

I checked and the status was active and green. But I got this message too
“Received disconnect from IP ADDRESS #### port ####: Bye Bye [preauth]
Disconnected from invalid user NAME IP ADDRESS #### port #### [preauth]

And this goes on and on. Any help is very much appreciated !!!!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi @workshopdebate,

It is likely that the attacker is using some custom code to brute-force the server which is ending up in malformed authentication requests being sent, resulting in the server killing the connection. So from the code it appears they are in fact trying to login, but the server doesn’t like how they’re attempting that.

As such, these log entries aren’t anything to worry about unless you think you are likely to be a targeted victim for any reason (in which case you should be taking extra precautions such as refusing password-based logins).

Anyway, I’ll suggest you install fail2ban or any other service that helps you with such attempts.

Regards,
KFSys

  • Hi KFSys,

    Thank you so much for your quick reply! I really appreciate it and will definitely look into fail2ban!

    I did a little further investigating and learned that rocket.chat had an update and I think that the update may have broken my droplet. Also, I realized that I was wrong in my original post–my rocket.chat was not running originally but the SSH was. I got the rocket.chat fixed and it is back up and running, but do you think that what I described in my original post was not in fact, someone attempting to attack, but perhaps more so related to the update/broken deployment? Or do you think it was more likely an attacker and it was just a coincidence that the update broke the deployment?

    Thanks so much for your time and consideration! I really appreciate it!!!

    Best,
    M

Submit an Answer