By:

Random IPs trying to get in

July 24, 2016 912

Security Monitoring

Hello,

I created a droplet 2 months ago and I did the basic things like configuring the firewall, setup ssh to only accept public key auth and stuff.
Last night I was inspecting the logs located at /var/log/auth.log and /var/log/ufw.log and I noticed that there are a lot of IPs trying to access telnet, ssh (using brute force with random login names) and there are also some attempt to connect to some random TCP ports.

Should I be worried? Is this "normal" ?

Btw: My firewall is configure to drop all incoming packets (except ssh).

Thank you

2 Answers

CrypticDesigns July 26, 2016

Accepted Answer

You can improve and reduce the attack attempts by:

Disabling password passed authentication and using RSA SSH keys
Configurig your firewall and ssh to only allow your IP (you need to have a static IP)
Using 2FA, for example 2FA of Google
Changing the SSH port
Disable root Login via SSH
Using a software that prevents DDOS attacks like DenyHosts or fail2ban

cabelitos July 26, 2016

Awesome tips, thank you.

rascul July 24, 2016

This is to be expected. Disabling password based authentication in sshd_config makes this a non issue.

cabelitos July 24, 2016

Thank you rascul :]
sierracircle July 25, 2016

if you change the default ssh port, it will not necessarily stop people from attempting to access your droplet, but it will go a long way in reducing these attempts.

If for no other reason, it will give you sane logs.
CrypticDesigns July 26, 2016

[deleted]

Have another answer? Share your knowledge.

Share

Share your Question

Random IPs trying to get in

Leave a Comment

Related Questions

Almost there!

Report a Bug