Does DO have a policy / mechanism for random IP addresses that try to hack my droplets?

April 13, 2015 1.3k views
System Tools Networking Linux Commands Ubuntu

In going through my /var/log/auth.log, I found many, many (MANY) attempts to log into my droplet from IP addresses all over the earth (Japan, China, Bosnia among the most common). I have reported these IP addresses and have been blocking them in IPtables on the droplet itself. But this is clearly not a sustainable strategy, as one of several thousand other IP addresses are likely to take their place.

An example from my log:
PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root
Apr 13 06:56:59 cdgabeyer5 sshd[12340]: error: Could not load host key: /etc/ssh/sshhosted25519key
Apr 13 06:57:02 cdgabeyer5 sshd[12340]: pam
unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root
Apr 13 06:57:04 cdgabeyer5 sshd[12340]: Failed password for root from 58.218.204.226 port 47848 ssh2
Apr 13 06:57:09 cdgabeyer5 sshd[12340]: message repeated 2 times: [ Failed password for root from 58.218.204.226 port 47848 ssh2]
Apr 13 06:57:09 cdgabeyer5 sshd[12340]: Received disconnect from 58.218.204.226: 11: [preauth]
Apr 13 06:57:09 cdgabeyer5 sshd[12340]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root
Apr 13 06:57:09 cdgabeyer5 sshd[12342]: error: Could not load host key: /etc/ssh/sshhosted25519key
Apr 13 06:57:15 cdgabeyer5 sshd[12342]: pam
unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root
Apr 13 06:57:17 cdgabeyer5 sshd[12342]: Failed password for root from 58.218.204.226 port 33845 ssh2
Apr 13 06:57:26 cdgabeyer5 sshd[12342]: message repeated 2 times: [ Failed password for root from 58.218.204.226 port 33845 ssh2]
Apr 13 06:57:26 cdgabeyer5 sshd[12342]: Received disconnect from 58.218.204.226: 11: [preauth]
Apr 13 06:57:26 cdgabeyer5 sshd[12342]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root
Apr 13 06:57:28 cdgabeyer5 sshd[12344]: error: Could not load host key: /etc/ssh/sshhosted25519key
Apr 13 06:57:33 cdgabeyer5 sshd[12344]: pam
unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root
Apr 13 06:57:34 cdgabeyer5 sshd[12344]: Failed password for root from 58.218.204.226 port 56753 ssh2
Apr 13 06:57:42 cdgabeyer5 sshd[12344]: message repeated 2 times: [ Failed password for root from 58.218.204.226 port 56753 ssh2]
Apr 13 06:57:43 cdgabeyer5 sshd[12344]: Received disconnect from 58.218.204.226: 11: [preauth]

The droplet has very little facing the public internet - just an ownCloud service for me and my family. I'm guessing whoever is doing this is scanning IPs associated with digital ocean. Does DO have a policy to mitigate or to block these hacking attempts? I'm doing what I think I can - disable root login, strong username and password, firewall running and IP tables as above. What else can we do?
EB

2 Answers

We do not provide a policy to block these attempts at the network level. Any server connected to the Internet will unfortunately be the target of this type of attack. One of the best things you can do is to set up fail2ban on your droplet as this will automatically block IP addresses after a set number of failed logins. Between doing this and configuring your ssh service to listen on a port other than 22 you will mitigate most of this type of attack.

What i did, if you know the people who would access your server and who their isp is. I blocked all the connections to my server except for the ip's allocated to their isp so only people on those networks can get https and ssh. I only started using Digital Ocean a few days ago and hadn't had a server. I gave it a shamefully weak password and the next morning i found i was spamming 55 other ip's. Almost all the ip in the logs are from china trying to connect.

Have another answer? Share your knowledge.