Getting Attacked over SSH

October 27, 2014 3.3k views

Hello

My Server (Ubuntu 14.04) running with VestaCP on it.
He is up and running now live since around 2 Days.
I never posted the Domain or the IP of the server public.

Today I configurated fail2ban on my VPS.
I tried to block all unsecure ways to gain access to my server like ftp etc..

At the moment I get all 1 Hour some Email from FAil2ban that someone is trying to gaing access with root via ssh.

Like the example down. by researching in the internet I found out that these are proxys..

How to handle this the best way? When I block them they just use the next proxy..

IP's trying attack
220.177.198.27
122.228.206.87
122.225.97.69

Thanks for a feedback
regards

swisscenturion

"Hi,

The IP 122.225.97.69 has just been banned by Fail2Ban after
6 attempts against ssh.

Here are more information about 122.225.97.69:

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '122.225.97.64 - 122.225.97.127'

inetnum: 122.225.97.64 - 122.225.97.127
netname: WENZHOU-GAOJIE-CO
country: CN
descr: WENZHOU GAOJIE TECHNOLOGY CO.LTD
descr:
admin-c: SL2710-AP
tech-c: CH119-AP
mnt-irt: IRT-CHINANET-ZJ
status: ASSIGNED NON-PORTABLE
changed: auto-dbm@dcb.hz.zj.cn 20101212
mnt-by: MAINT-CN-CHINANET-ZJ-HU
source: APNIC

irt: IRT-CHINANET-ZJ
address: Hangzhou, 288 fucun Road, China
e-mail: lfliu@pubinfo.com.cn
abuse-mailbox: antispam@dcb.hz.zj.cn
admin-c: CZ61-AP
tech-c: CZ61-AP
auth: # Filtered
mnt-by: MAINT-CHINANET-ZJ
changed: auto-dbm@dcb.hz.zj.cn 20101129
source: APNIC

role: CHINANET-ZJ Huzhou
address: No.18 Hongqi Road,Huzhou,Zhejiang.313000
country: CN
phone: +86-572-2022163
fax-no: +86-572-2210609
e-mail: antispam@mail.huptt.zj.cn
remarks: send spam reports to anti
spam@mail.huptt.zj.cn
remarks: and abuse reports to anti_spam@mail.huptt.zj.cn
remarks: Please include detailed information and times in UTC
admin-c: CH50-AP
tech-c: CH50-AP
nic-hdl: CH119-AP
mnt-by: MAINT-CHINANET-ZJ
changed: master@dcb.hz.zj.cn 20031204
source: APNIC
changed: hm-changed@apnic.net 20111114

person: Shengzhong Liu
nic-hdl: SL2710-AP
e-mail: anti_spam@mail.huptt.zj.cn
address: lanjiang Software Park B3009,Lanjiang Road 188, Airport Road, Wenzhou
phone: +86-13738375522
phone: +86-577-88800077
country: CN
changed: auto-dbm@dcb.hz.zj.cn 20110815
mnt-by: MAINT-CN-CHINANET-ZJ-HU
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS2)

Lines containing IP:122.225.97.69 in /var/log/auth.log

Oct 27 10:19:37 MSA01Panel sshd[7230]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.69 user=root Oct 27 10:19:39 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:42 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:45 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:47 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:49 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:52 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:52 MSA01Panel sshd[7230]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.69 user=root"

1 comment
  • Getting "attacked" over SSH is "normal".
    There are a few things you can do.

    1. Put your SSH behind a firewall. Make it only possible to connect to it by ip addresses chosen by you.
    2. Do not allow login by password, only by key file
    3. Disable root login, do not use root to login over SSH

    Other than that? Well..Just make your fail2ban more strict, this kind of thing is pretty normal on the internet, reporting them to their ISP/Host doesn't make a change, they will just ignore you.

2 Answers

Servers on the internet are constantly scanned and bruteforced.

If you have turned off SSH key authentication and turned off password authentication, you're already pretty safe.

..what everyone else said, and also: change your default SSH port

  • Security by obscurity doesn't really work. nmap makes that worse than useless. I say "worse than useless" because it gives you a false sense of security.

  • Interesting. I had read that changing the default port would, at the least, protect against bots.

  • What you read is true, based on my experience. Since changing the default ssh ports on some of my servers i got rid of a lot of "zombie attacks, (approximately a reduction of 80%), since they usually probes on port by default. Nothing in my opinion "work" to an extent of 100%, it is rather small steps that can make big improvements over time, when it comes to the part of hardening a server.

Have another answer? Share your knowledge.