Answer the question
In order to leave comments, you need to log in
D
D
dis4like2018-12-20 16:53:48
dis4like, 2018-12-20 16:53:48
How to block an attacker's IP?
Good evening colleagues!
Recently there has been a problem with the security of the server.
The admin made a mistake and set rights to the folder 777 when transferring the site, after which he safely forgot.
The server was infiltrated and injected with malicious code, which I have already removed.
Rights set to as required for the engine. I checked the auth.log and error.log (Mysql) logs, and there is trouble. Someone is guessing passwords. How to block IPs to kick a freak?
After analyzing the logs, I found three permanent IPs.
Example auth.log:
Dec 20 13:41:01 market-plast sshd[2604]: Disconnected from 112.85.42.88 port 18891 [preauth]
Dec 20 13:41:01 market-plast sshd[2604]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.88 user=root
Dec 20 13:42:02 market-plast sshd[2608]: Invalid user pvkiiserver from 138.68.57.194
Dec 20 13:42:02 market-plast sshd[2608]: input_userauth_request: invalid user pvkiiserver [preauth]
Dec 20 13:42:02 market-plast sshd[2608]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 13:42:02 market-plast sshd[2608]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.68.57.194
Dec 20 13:42:03 market-plast sshd[2608]: Failed password for invalid user pvkiiserver from 138.68.57.194 port 58890 ssh2
Dec 20 13:42:03 market-plast sshd[2608]: Received disconnect from 138.68.57.194 port 58890:11: Normal Shutdown, Thank you for playing [preauth]
Dec 20 13:42:03 market-plast sshd[2608] : Disconnected from 138.68.57.194 port 58890 [preauth]
Dec 20 13:42:24 market-plast sshd[2610]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.88 user=root
Dec 20 13:42:25 market-plast sshd[2610]: Failed password for root from 112.85.42.88 port 41888 ssh2
Dec 20 13 :42:29 market-plast sshd[2610]: Received disconnect from 112.85.42.88 port 41888:11: [preauth]
Dec 20 13:42:29 market-plast sshd[2610]: Disconnected from 112.85.42.88 port 41888 [preauth ]
Dec 20 13:42:40 market-plast sshd[2612]: Did not receive identification string from 193.112.141.157
Dec 20 13:43:33 market-plast sshd[2617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.88 user=root
Dec 20 13:43:35 market-plast sshd[2617]: Failed password for root from 112.85.42.88 port 53744 ssh2
Dec 20 13 :43:39 market-plast sshd[2617]: Failed password for root from 112.85.42.88 port 53744 ssh2
Dec 20 13:43:42 market-plast sshd[2617]: Failed password for root from 112.85.42.88 port 53744 ssh2
Dec 20 13:43:42 market-plast sshd[2617]: Received disconnect from 112.85.42.88 port 53744:11: [preauth]
Dec 20 13:43:42 market-plast sshd[2617]: Disconnected from 112.85.42.88 port 53744 [preauth]
Dec 20 13:43:42 market-plast sshd[2617]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.88 user=root
2 answer(s)
@dis4like
@bestking5236
T
TyzhSysAdmin, 2018-12-20 @dis4like
Picking up passes to the SSH server is a normal situation.
You can get rid of it either by prohibiting access from the outside to the SSH server or by using port knocking.
You can block it in the firewall, but it's better to turn off password authentication (and root should not go through ssh at all) and use keys.
PS it's all already 100500 times obslunyavlenno in articles that are easy to find on request "ssh security".
For example, on Habré there are about a dozen of them https://habr.com/post/179219/
A
Andy Larkin, 2018-12-20 @bestking5236
apt install fail2ban
--
out of the box it will ban itself on multiple login attempts
Similar questions
Y
R
Z
G
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question