Question

Getting Attacked over SSH

  • Posted October 27, 2014

Hello

My Server (Ubuntu 14.04) running with VestaCP on it. He is up and running now live since around 2 Days. I never posted the Domain or the IP of the server public.

Today I configurated fail2ban on my VPS. I tried to block all unsecure ways to gain access to my server like ftp etc…

At the moment I get all 1 Hour some Email from FAil2ban that someone is trying to gaing access with root via ssh.

Like the example down. by researching in the internet I found out that these are proxys…

How to handle this the best way? When I block them they just use the next proxy…

IP’s trying attack 220.177.198.27 122.228.206.87 122.225.97.69

Thanks for a feedback regards

swisscenturion

"Hi,

The IP 122.225.97.69 has just been banned by Fail2Ban after 6 attempts against ssh.

Here are more information about 122.225.97.69:

% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to ‘122.225.97.64 - 122.225.97.127’

inetnum: 122.225.97.64 - 122.225.97.127 netname: WENZHOU-GAOJIE-CO country: CN descr: WENZHOU GAOJIE TECHNOLOGY CO.LTD descr: admin-c: SL2710-AP tech-c: CH119-AP mnt-irt: IRT-CHINANET-ZJ status: ASSIGNED NON-PORTABLE changed: auto-dbm@dcb.hz.zj.cn 20101212 mnt-by: MAINT-CN-CHINANET-ZJ-HU source: APNIC

irt: IRT-CHINANET-ZJ address: Hangzhou, 288 fucun Road, China e-mail: lfliu@pubinfo.com.cn abuse-mailbox: antispam@dcb.hz.zj.cn admin-c: CZ61-AP tech-c: CZ61-AP auth: # Filtered mnt-by: MAINT-CHINANET-ZJ changed: auto-dbm@dcb.hz.zj.cn 20101129 source: APNIC

role: CHINANET-ZJ Huzhou address: No.18 Hongqi Road,Huzhou,Zhejiang.313000 country: CN phone: +86-572-2022163 fax-no: +86-572-2210609 e-mail: anti_spam@mail.huptt.zj.cn remarks: send spam reports to anti_spam@mail.huptt.zj.cn remarks: and abuse reports to anti_spam@mail.huptt.zj.cn remarks: Please include detailed information and times in UTC admin-c: CH50-AP tech-c: CH50-AP nic-hdl: CH119-AP mnt-by: MAINT-CHINANET-ZJ changed: master@dcb.hz.zj.cn 20031204 source: APNIC changed: hm-changed@apnic.net 20111114

person: Shengzhong Liu nic-hdl: SL2710-AP e-mail: anti_spam@mail.huptt.zj.cn address: lanjiang Software Park B3009,Lanjiang Road 188, Airport Road, Wenzhou phone: +86-13738375522 phone: +86-577-88800077 country: CN changed: auto-dbm@dcb.hz.zj.cn 20110815 mnt-by: MAINT-CN-CHINANET-ZJ-HU source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS2)

Lines containing IP:122.225.97.69 in /var/log/auth.log

Oct 27 10:19:37 MSA01Panel sshd[7230]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.69 user=root Oct 27 10:19:39 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:42 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:45 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:47 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:49 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:52 MSA01Panel sshd[7230]: Failed password for root from 122.225.97.69 port 55525 ssh2 Oct 27 10:19:52 MSA01Panel sshd[7230]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.69 user=root"

Subscribe
Share

Getting “attacked” over SSH is “normal”. There are a few things you can do.

  1. Put your SSH behind a firewall. Make it only possible to connect to it by ip addresses chosen by you.
  2. Do not allow login by password, only by key file
  3. Disable root login, do not use root to login over SSH

Other than that? Well…Just make your fail2ban more strict, this kind of thing is pretty normal on the internet, reporting them to their ISP/Host doesn’t make a change, they will just ignore you.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

…what everyone else said, and also: change your default SSH port

Servers on the internet are constantly scanned and bruteforced.

If you have turned off SSH key authentication and turned off password authentication, you’re already pretty safe.