By eric348479
In going through my /var/log/auth.log, I found many, many (MANY) attempts to log into my droplet from IP addresses all over the earth (Japan, China, Bosnia among the most common). I have reported these IP addresses and have been blocking them in IPtables on the droplet itself. But this is clearly not a sustainable strategy, as one of several thousand other IP addresses are likely to take their place.
An example from my log: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root Apr 13 06:56:59 cdgabeyer5 sshd[12340]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key Apr 13 06:57:02 cdgabeyer5 sshd[12340]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root Apr 13 06:57:04 cdgabeyer5 sshd[12340]: Failed password for root from 58.218.204.226 port 47848 ssh2 Apr 13 06:57:09 cdgabeyer5 sshd[12340]: message repeated 2 times: [ Failed password for root from 58.218.204.226 port 47848 ssh2] Apr 13 06:57:09 cdgabeyer5 sshd[12340]: Received disconnect from 58.218.204.226: 11: [preauth] Apr 13 06:57:09 cdgabeyer5 sshd[12340]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root Apr 13 06:57:09 cdgabeyer5 sshd[12342]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key Apr 13 06:57:15 cdgabeyer5 sshd[12342]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root Apr 13 06:57:17 cdgabeyer5 sshd[12342]: Failed password for root from 58.218.204.226 port 33845 ssh2 Apr 13 06:57:26 cdgabeyer5 sshd[12342]: message repeated 2 times: [ Failed password for root from 58.218.204.226 port 33845 ssh2] Apr 13 06:57:26 cdgabeyer5 sshd[12342]: Received disconnect from 58.218.204.226: 11: [preauth] Apr 13 06:57:26 cdgabeyer5 sshd[12342]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root Apr 13 06:57:28 cdgabeyer5 sshd[12344]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key Apr 13 06:57:33 cdgabeyer5 sshd[12344]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.226 user=root Apr 13 06:57:34 cdgabeyer5 sshd[12344]: Failed password for root from 58.218.204.226 port 56753 ssh2 Apr 13 06:57:42 cdgabeyer5 sshd[12344]: message repeated 2 times: [ Failed password for root from 58.218.204.226 port 56753 ssh2] Apr 13 06:57:43 cdgabeyer5 sshd[12344]: Received disconnect from 58.218.204.226: 11: [preauth]
The droplet has very little facing the public internet - just an ownCloud service for me and my family. I’m guessing whoever is doing this is scanning IPs associated with digital ocean. Does DO have a policy to mitigate or to block these hacking attempts? I’m doing what I think I can - disable root login, strong username and password, firewall running and IP tables as above. What else can we do? EB
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
We do not provide a policy to block these attempts at the network level. Any server connected to the Internet will unfortunately be the target of this type of attack. One of the best things you can do is to set up fail2ban on your droplet as this will automatically block IP addresses after a set number of failed logins. Between doing this and configuring your ssh service to listen on a port other than 22 you will mitigate most of this type of attack.
What i did, if you know the people who would access your server and who their isp is. I blocked all the connections to my server except for the ip’s allocated to their isp so only people on those networks can get https and ssh. I only started using Digital Ocean a few days ago and hadn’t had a server. I gave it a shamefully weak password and the next morning i found i was spamming 55 other ip’s. Almost all the ip in the logs are from china trying to connect.
Hi there,
As already mentioned you can configure Fail2ban on your droplet. Fail2ban can significantly mitigate brute force attacks by creating rules that automatically alter your firewall configuration to ban specific IPs after a certain number of unsuccessful login attempts. This will allow your server to harden itself against these access attempts without intervention from you.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-22-04
You can also install malware detection software like Linux Malware Detect, also known as Maldet or LMD. It will help you to locate any malicious files on your droplet.
The activity you’ve mentioned might come from a faulty plugin, but you can scan your server using the tools I’ve mentioned or scan it with a WP plugin like Wordfence as well.
If you’re interested in securing your droplet (everyone should be in general) you can double-check our tutorial - An Introduction to Securing your Linux VPS.
The article will cover the basic and some more advanced steps in website and server security.
You can check the article here:
https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.