Question
SSH login attempts from China? Failed password for root from [china ip]
- Posted June 10, 2014
Hi, I’m new to virtual servers. Today I sshed into my droplet and wanted to do capistrano deployment. SSH login works ok, however, when I run cap deployment from my local, it fails when checking out code from bitbucket with following message: <pre> Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/app/git-ssh.sh /usr/bin/env git ls-remote git@bitbucket.org:foobar/app.git ) Permission denied (publickey). fatal: The remote end hung up unexpectedly </pre> This was working perfectly a week ago and I did deployments several times. When I checked /var/log/auth.log, I see a lot of SSH login attempts from Asia (China, Korea…): <pre> Jun 10 07:04:42 staging sshd[24646]: Disconnecting: Too many authentication failures for root [preauth] Jun 10 07:04:42 staging sshd[24646]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24 user=root Jun 10 07:04:42 staging sshd[24646]: PAM service(sshd) ignoring max retries; 6 > 3 Jun 10 07:04:45 staging sshd[24648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24 user=root Jun 10 07:04:47 staging sshd[24648]: Failed password for root from 220.177.198.24 port 2769 ssh2 Jun 10 07:04:59 sshd[24648]: last message repeated 5 times </pre> Also several username login attempts, none of them I’ve seen/used before: <pre> Jun 10 07:09:10 staging sshd[24665]: Invalid user hermes from 101.79.130.213 Jun 10 07:36:03 staging sshd[24901]: Invalid user sid from 101.79.130.213 Jun 10 07:42:44 staging sshd[24938]: Invalid user vincent from 101.79.130.213 Jun 10 07:56:11 staging sshd[26570]: Invalid user stella from 101.79.130.213 Jun 10 08:02:55 staging sshd[30144]: Invalid user ernie from 101.79.130.213 </pre> I’m using key based authentication for SSH and for bitbucket as well.
-
Are those SSH attempts something “common” or “to be expected”?
-
What can I do to make my droplet more secure and maybe report those attempts via email? And is it worth it?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
They are indeed to be expected. Pretty much every server on the internet will come under these so called brute force attacks. The attacker is attempting to automatically guess the password repeatedly. There are a few steps that you can take to make your server much more secure.
Disable password authentication. Since you’re already using SSH key pairs, you can make it so that you can only login using the SSH keys:
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04
Install fail2ban. This will make it so that if someone attempts login unsuccessfully enough times, all connections from their IP address will be dropped:
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-fail2ban-on-ubuntu-14-04
Fail2Ban is a good service you can use to easily block repeated attempts.
This comment has been deleted
As for reporting those attacks, it is rarely worth the effort. The only report I have ever sent that received a response was when I reported a brute force attack from another Digital Ocean IP.
Try DigitalOcean for free
Click below to sign up and get $100 of credit to try our products over 60 days!
You’d try this iptables rules
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 4 -j DROP
This block connections if the login fails 4 times in one hour
How to see blocked ip addresses after adding this role??