Question

SSH login attempts from China? Failed password for root from [china ip]

Posted June 10, 2014 51.9k views
Hi, I'm new to virtual servers. Today I sshed into my droplet and wanted to do capistrano deployment. SSH login works ok, however, when I run cap deployment from my local, it fails when checking out code from bitbucket with following message: 
Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/app/git-ssh.sh /usr/bin/env git ls-remote git@bitbucket.org:foobar/app.git )
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This was working perfectly a week ago and I did deployments several times. When I checked /var/log/auth.log, I see a lot of SSH login attempts from Asia (China, Korea...): 
Jun 10 07:04:42 staging sshd[24646]: Disconnecting: Too many authentication failures for root [preauth]
Jun 10 07:04:42 staging sshd[24646]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24  user=root
Jun 10 07:04:42 staging sshd[24646]: PAM service(sshd) ignoring max retries; 6 > 3
Jun 10 07:04:45 staging sshd[24648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.24  user=root
Jun 10 07:04:47 staging sshd[24648]: Failed password for root from 220.177.198.24 port 2769 ssh2
Jun 10 07:04:59  sshd[24648]: last message repeated 5 times
Also several username login attempts, none of them I've seen/used before: 
Jun 10 07:09:10 staging sshd[24665]: Invalid user hermes from 101.79.130.213
Jun 10 07:36:03 staging sshd[24901]: Invalid user sid from 101.79.130.213
Jun 10 07:42:44 staging sshd[24938]: Invalid user vincent from 101.79.130.213
Jun 10 07:56:11 staging sshd[26570]: Invalid user stella from 101.79.130.213
Jun 10 08:02:55 staging sshd[30144]: Invalid user ernie from 101.79.130.213
I'm using key based authentication for SSH and for bitbucket as well. 1) Are those SSH attempts something "common" or "to be expected"? 2) What can I do to make my droplet more secure and maybe report those attempts via email? And is it worth it?
Add a comment
roman.damborsky
By:
roman.damborsky
Add a comment
2 comments
  • lcruz February 27, 2015
    Reply Report

    You’d try this iptables rules

    iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –set
    iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 3600 –hitcount 4 -j DROP

    This block connections if the login fails 4 times in one hour

  • sonparatekrunal007 October 10, 2017
    Reply Report

    How to see blocked ip addresses after adding this role??

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

4 answers
asb June 10, 2014
They are indeed to be expected. Pretty much every server on the internet will come under these so called brute force attacks. The attacker is attempting to automatically guess the password repeatedly. There are a few steps that you can take to make your server much more secure. Disable password authentication. Since you're already using SSH key pairs, you can make it so that you can only login using the SSH keys: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04 Install fail2ban. This will make it so that if someone attempts login unsuccessfully enough times, all connections from their IP address will be dropped: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-fail2ban-on-ubuntu-14-04
Initial Server Setup with Ubuntu 14.04
by Justin Ellingwood
When you start a new server, there are a few steps that you should take every time to add some basic security and set a solid foundation. In this guide, we'll walk you through the basic steps necessary to hit the ground running with Ubuntu 14.04.
Reply Report
watchopolis.net September 4, 2014
[deleted]
Reply Report
larry June 10, 2014
As for reporting those attacks, it is rarely worth the effort. The only report I have ever sent that received a response was when I reported a brute force attack from another Digital Ocean IP.
Reply Report
geggleton March 13, 2015

Fail2Ban is a good service you can use to easily block repeated attempts.

Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help