Question
SSH login attempts from China? Failed password for root from [china ip]
Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/app/git-ssh.sh /usr/bin/env git ls-remote git@bitbucket.org:foobar/app.git ) Permission denied (publickey). fatal: The remote end hung up unexpectedlyThis was working perfectly a week ago and I did deployments several times. When I checked /var/log/auth.log, I see a lot of SSH login attempts from Asia (China, Korea...):
Jun 10 07:04:42 staging sshd[24646]: Disconnecting: Too many authentication failures for root [preauth] Jun 10 07:04:42 staging sshd[24646]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24 user=root Jun 10 07:04:42 staging sshd[24646]: PAM service(sshd) ignoring max retries; 6 > 3 Jun 10 07:04:45 staging sshd[24648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24 user=root Jun 10 07:04:47 staging sshd[24648]: Failed password for root from 220.177.198.24 port 2769 ssh2 Jun 10 07:04:59 sshd[24648]: last message repeated 5 timesAlso several username login attempts, none of them I've seen/used before:
Jun 10 07:09:10 staging sshd[24665]: Invalid user hermes from 101.79.130.213 Jun 10 07:36:03 staging sshd[24901]: Invalid user sid from 101.79.130.213 Jun 10 07:42:44 staging sshd[24938]: Invalid user vincent from 101.79.130.213 Jun 10 07:56:11 staging sshd[26570]: Invalid user stella from 101.79.130.213 Jun 10 08:02:55 staging sshd[30144]: Invalid user ernie from 101.79.130.213I'm using key based authentication for SSH and for bitbucket as well. 1) Are those SSH attempts something "common" or "to be expected"? 2) What can I do to make my droplet more secure and maybe report those attempts via email? And is it worth it?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
You’d try this iptables rules
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 3600 –hitcount 4 -j DROP
This block connections if the login fails 4 times in one hour
How to see blocked ip addresses after adding this role??