Random IPs trying to get in

July 24, 2016 2.2k views
Security Monitoring
cabelitos
By:
cabelitos

Hello,

I created a droplet 2 months ago and I did the basic things like configuring the firewall, setup ssh to only accept public key auth and stuff.
Last night I was inspecting the logs located at /var/log/auth.log and /var/log/ufw.log and I noticed that there are a lot of IPs trying to access telnet, ssh (using brute force with random login names) and there are also some attempt to connect to some random TCP ports.

Should I be worried? Is this "normal" ?

Btw: My firewall is configure to drop all incoming packets (except ssh).

Thank you

Log In to Comment
2 Answers
ForYourIT July 26, 2016
Accepted Answer

You can improve and reduce the attack attempts by:

  • Disabling password passed authentication and using RSA SSH keys
  • Configurig your firewall and ssh to only allow your IP (you need to have a static IP)
  • Using 2FA, for example 2FA of Google
  • Changing the SSH port
  • Disable root Login via SSH
  • Using a software that prevents DDOS attacks like DenyHosts or fail2ban
Reply
rascul July 24, 2016

This is to be expected. Disabling password based authentication in sshd_config makes this a non issue.

Reply
Have another answer? Share your knowledge.

Related Questions