SSH login attempts from China? Failed password for root from [china ip]

June 10, 2014 21.2k views
Hi, I'm new to virtual servers. Today I sshed into my droplet and wanted to do capistrano deployment. SSH login works ok, however, when I run cap deployment from my local, it fails when checking out code from bitbucket with following message:
Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/app/ /usr/bin/env git ls-remote )
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This was working perfectly a week ago and I did deployments several times. When I checked /var/log/auth.log, I see a lot of SSH login attempts from Asia (China, Korea...):
Jun 10 07:04:42 staging sshd[24646]: Disconnecting: Too many authentication failures for root [preauth]
Jun 10 07:04:42 staging sshd[24646]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root
Jun 10 07:04:42 staging sshd[24646]: PAM service(sshd) ignoring max retries; 6 > 3
Jun 10 07:04:45 staging sshd[24648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root
Jun 10 07:04:47 staging sshd[24648]: Failed password for root from port 2769 ssh2
Jun 10 07:04:59  sshd[24648]: last message repeated 5 times
Also several username login attempts, none of them I've seen/used before:
Jun 10 07:09:10 staging sshd[24665]: Invalid user hermes from
Jun 10 07:36:03 staging sshd[24901]: Invalid user sid from
Jun 10 07:42:44 staging sshd[24938]: Invalid user vincent from
Jun 10 07:56:11 staging sshd[26570]: Invalid user stella from
Jun 10 08:02:55 staging sshd[30144]: Invalid user ernie from
I'm using key based authentication for SSH and for bitbucket as well. 1) Are those SSH attempts something "common" or "to be expected"? 2) What can I do to make my droplet more secure and maybe report those attempts via email? And is it worth it?
1 comment
  • You'd try this iptables rules

    iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
    iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 4 -j DROP

    This block connections if the login fails 4 times in one hour

4 Answers
They are indeed to be expected. Pretty much every server on the internet will come under these so called brute force attacks. The attacker is attempting to automatically guess the password repeatedly. There are a few steps that you can take to make your server much more secure. Disable password authentication. Since you're already using SSH key pairs, you can make it so that you can only login using the SSH keys: Install fail2ban. This will make it so that if someone attempts login unsuccessfully enough times, all connections from their IP address will be dropped:
by Justin Ellingwood
When you start a new server, there are a few steps that you should take every time to add some basic security and give you a solid foundation. In this guide, we'll walk you through the basic steps necessary to hit the ground running with Ubuntu 14.04.
As for reporting those attacks, it is rarely worth the effort. The only report I have ever sent that received a response was when I reported a brute force attack from another Digital Ocean IP.
  • yes it is difficult to understand, I have the same. DO is a very popular and it exposes it to being attacked.

Fail2Ban is a good service you can use to easily block repeated attempts.

Have another answer? Share your knowledge.