Question

SSH login attempts from China? Failed password for root from [china ip]

  • Posted June 10, 2014

Hi, I’m new to virtual servers. Today I sshed into my droplet and wanted to do capistrano deployment. SSH login works ok, however, when I run cap deployment from my local, it fails when checking out code from bitbucket with following message: <pre> Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/app/git-ssh.sh /usr/bin/env git ls-remote git@bitbucket.org:foobar/app.git ) Permission denied (publickey). fatal: The remote end hung up unexpectedly </pre> This was working perfectly a week ago and I did deployments several times. When I checked /var/log/auth.log, I see a lot of SSH login attempts from Asia (China, Korea…): <pre> Jun 10 07:04:42 staging sshd[24646]: Disconnecting: Too many authentication failures for root [preauth] Jun 10 07:04:42 staging sshd[24646]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24 user=root Jun 10 07:04:42 staging sshd[24646]: PAM service(sshd) ignoring max retries; 6 > 3 Jun 10 07:04:45 staging sshd[24648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24 user=root Jun 10 07:04:47 staging sshd[24648]: Failed password for root from 220.177.198.24 port 2769 ssh2 Jun 10 07:04:59 sshd[24648]: last message repeated 5 times </pre> Also several username login attempts, none of them I’ve seen/used before: <pre> Jun 10 07:09:10 staging sshd[24665]: Invalid user hermes from 101.79.130.213 Jun 10 07:36:03 staging sshd[24901]: Invalid user sid from 101.79.130.213 Jun 10 07:42:44 staging sshd[24938]: Invalid user vincent from 101.79.130.213 Jun 10 07:56:11 staging sshd[26570]: Invalid user stella from 101.79.130.213 Jun 10 08:02:55 staging sshd[30144]: Invalid user ernie from 101.79.130.213 </pre> I’m using key based authentication for SSH and for bitbucket as well.

  1. Are those SSH attempts something “common” or “to be expected”?

  2. What can I do to make my droplet more secure and maybe report those attempts via email? And is it worth it?

Subscribe
Share

You’d try this iptables rules

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 4 -j DROP

This block connections if the login fails 4 times in one hour

How to see blocked ip addresses after adding this role??


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

They are indeed to be expected. Pretty much every server on the internet will come under these so called brute force attacks. The attacker is attempting to automatically guess the password repeatedly. There are a few steps that you can take to make your server much more secure.

Disable password authentication. Since you’re already using SSH key pairs, you can make it so that you can only login using the SSH keys:

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04

Install fail2ban. This will make it so that if someone attempts login unsuccessfully enough times, all connections from their IP address will be dropped:

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-fail2ban-on-ubuntu-14-04

Fail2Ban is a good service you can use to easily block repeated attempts.

This comment has been deleted

As for reporting those attacks, it is rarely worth the effort. The only report I have ever sent that received a response was when I reported a brute force attack from another Digital Ocean IP.