Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
T
T
tex6202018-11-14 19:06:32
SSH
tex620, 2018-11-14 19:06:32

My ubuntu server is being hacked, how can I protect myself?

A similar log gives

Nov 14 16:23:07 RustServer sshd[11049]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.65.42.179  user=root
Nov 14 16:23:08 RustServer sshd[11051]: Failed password for root from 122.226.181.165 port 58750 ssh2
Nov 14 16:23:08 RustServer sshd[11051]: Received disconnect from 122.226.181.165 port 58750:11:  [preauth]
Nov 14 16:23:08 RustServer sshd[11051]: Disconnected from authenticating user root 122.226.181.165 port 58750 [preauth]
Nov 14 16:23:12 RustServer sshd[11053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:23:15 RustServer sshd[11053]: Failed password for root from 116.31.116.16 port 48970 ssh2
Nov 14 16:23:17 RustServer sshd[11053]: Failed password for root from 116.31.116.16 port 48970 ssh2
Nov 14 16:23:20 RustServer sshd[11053]: Failed password for root from 116.31.116.16 port 48970 ssh2
Nov 14 16:23:20 RustServer sshd[11053]: Received disconnect from 116.31.116.16 port 48970:11:  [preauth]
Nov 14 16:23:20 RustServer sshd[11053]: Disconnected from authenticating user root 116.31.116.16 port 48970 [preauth]
Nov 14 16:23:20 RustServer sshd[11053]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:24:11 RustServer sshd[11061]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:24:13 RustServer sshd[11061]: Failed password for root from 116.31.116.16 port 58214 ssh2
Nov 14 16:24:16 RustServer sshd[11061]: Failed password for root from 116.31.116.16 port 58214 ssh2
Nov 14 16:24:18 RustServer sshd[11061]: Failed password for root from 116.31.116.16 port 58214 ssh2
Nov 14 16:24:18 RustServer sshd[11061]: Received disconnect from 116.31.116.16 port 58214:11:  [preauth]
Nov 14 16:24:18 RustServer sshd[11061]: Disconnected from authenticating user root 116.31.116.16 port 58214 [preauth]
Nov 14 16:24:18 RustServer sshd[11061]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:24:48 RustServer sshd[11068]: Connection reset by 118.123.15.142 port 58158 [preauth]
Nov 14 16:25:07 RustServer sshd[11072]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:25:09 RustServer sshd[11072]: Failed password for root from 116.31.116.16 port 63844 ssh2
Nov 14 16:25:11 RustServer sshd[11072]: Failed password for root from 116.31.116.16 port 63844 ssh2
Nov 14 16:25:14 RustServer sshd[11072]: Failed password for root from 116.31.116.16 port 63844 ssh2
Nov 14 16:25:14 RustServer sshd[11072]: Received disconnect from 116.31.116.16 port 63844:11:  [preauth]
Nov 14 16:25:14 RustServer sshd[11072]: Disconnected from authenticating user root 116.31.116.16 port 63844 [preauth]
Nov 14 16:25:14 RustServer sshd[11072]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:26:02 RustServer sshd[11078]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:26:04 RustServer sshd[11078]: Failed password for root from 116.31.116.16 port 16276 ssh2
Nov 14 16:26:06 RustServer sshd[11078]: Failed password for root from 116.31.116.16 port 16276 ssh2
Nov 14 16:26:09 RustServer sshd[11078]: Failed password for root from 116.31.116.16 port 16276 ssh2
Nov 14 16:26:09 RustServer sshd[11078]: Received disconnect from 116.31.116.16 port 16276:11:  [preauth]
Nov 14 16:26:09 RustServer sshd[11078]: Disconnected from authenticating user root 116.31.116.16 port 16276 [preauth]
Nov 14 16:26:09 RustServer sshd[11078]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:27:20 RustServer sshd[11087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:27:22 RustServer sshd[11087]: Failed password for root from 116.31.116.16 port 45100 ssh2
Nov 14 16:27:24 RustServer sshd[11087]: Failed password for root from 116.31.116.16 port 45100 ssh2
Nov 14 16:27:27 RustServer sshd[11087]: Failed password for root from 116.31.116.16 port 45100 ssh2
Nov 14 16:27:27 RustServer sshd[11087]: Received disconnect from 116.31.116.16 port 45100:11:  [preauth]
Nov 14 16:27:27 RustServer sshd[11087]: Disconnected from authenticating user root 116.31.116.16 port 45100 [preauth]
Nov 14 16:27:27 RustServer sshd[11087]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:28:18 RustServer sshd[11093]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:28:20 RustServer sshd[11093]: Failed password for root from 116.31.116.16 port 50902 ssh2
Nov 14 16:28:23 RustServer sshd[11093]: Failed password for root from 116.31.116.16 port 50902 ssh2
Nov 14 16:28:26 RustServer sshd[11093]: Failed password for root from 116.31.116.16 port 50902 ssh2
Nov 14 16:28:26 RustServer sshd[11093]: Received disconnect from 116.31.116.16 port 50902:11:  [preauth]
Nov 14 16:28:26 RustServer sshd[11093]: Disconnected from authenticating user root 116.31.116.16 port 50902 [preauth]
Nov 14 16:28:26 RustServer sshd[11093]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:29:15 RustServer sshd[11100]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:29:17 RustServer sshd[11100]: Failed password for root from 116.31.116.16 port 57274 ssh2
Nov 14 16:29:20 RustServer sshd[11100]: Failed password for root from 116.31.116.16 port 57274 ssh2
Nov 14 16:29:22 RustServer sshd[11100]: Failed password for root from 116.31.116.16 port 57274 ssh2
Nov 14 16:29:23 RustServer sshd[11100]: Received disconnect from 116.31.116.16 port 57274:11:  [preauth]
Nov 14 16:29:23 RustServer sshd[11100]: Disconnected from authenticating user root 116.31.116.16 port 57274 [preauth]
Nov 14 16:29:23 RustServer sshd[11100]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:30:11 RustServer sshd[11112]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:30:13 RustServer sshd[11112]: Failed password for root from 116.31.116.16 port 63242 ssh2
Nov 14 16:30:16 RustServer sshd[11112]: Failed password for root from 116.31.116.16 port 63242 ssh2
Nov 14 16:30:19 RustServer sshd[11112]: Failed password for root from 116.31.116.16 port 63242 ssh2

and so on
How to protect yourself from this, it happens more than once.
What is ssh2 and why does it run on different ports.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

8 answer(s)
Report
A
Andrew, 2018-11-14
@tex620

1) Move the port of the ssh server from the standard one to another, this will beat off most of the bots / scanners
2) Deny authorization to the root user via ssh
3) Set Fail2Ban to block the IPs from which the brute comes
PS Different ports are most likely outgoing connection ports, so they are different , but they all knock on the port that is specified in the sshd config

Report
E
Evgen, 2018-11-14
@etaliorum

The fail2ban utility will help. It will be a plus if you put authorization on ssh keys.
The network is full of bots that connect under the root, most often on port 22, and the password is selected from a dictionary

Report
U
uRoot, 2018-11-14
@uroot

Set up a firewall. Ubuntu has iptables by default , sort of.

Report
R
Roman Sokolov, 2018-11-16
@jimquery

Get an admin.

Report
X
xtress, 2018-11-14
@xtress

In addition to Andrey 's answer - set up "knocking", for example, through this software:
www.zeroflux.org/projects/knock

Report
M
metajiji, 2018-11-15
@metajiji

By the way, if the server is a vps and iptsbles is not available, you can always use ip route blackhole. In fsil2ban, it is not difficult to screw on.

Report
P
psyxodolby, 2018-11-15
@psyxodolby

Hm. Bots, if smart, will score on a server if authorization by certificate is configured on it?

Report
M
mohintohin, 2018-11-16
@mohintohin

Make certificate authorization

Similar questions
M
Maxim Tarabrin2018-05-07 10:23:02
How to forward a port 22 tunnel through a router? 1Reply
H
Harlan2020-06-03 12:36:53
How to set permissions for files sent via sftp? 0Reply
I
IvanBishop2021-08-23 10:32:40
Why connects by name to the machine? 2Reply
A
AlizonJohn2018-05-17 10:09:49
The fingerprint of the ssh server has changed, how to return the old one? 1Reply
B
Bear-ivan2020-06-11 09:40:18
From SSH does not decode from bytes to ASCCII? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question