0

Launched a droplet yesterday and configured my local host file to point my domain at the IP. Could connect fine and even installed a lets encrypt certificate by temporarily migrating the A record via cloudflare.

This morning the service suddenly stopped working while trying to log into the Wordpress installation (IP 104.248.162.53).

I can still SSH in and ran the following:

systemctl status sshd

Which got this response:

Dec 20 12:33:07 ggs-live-1gb sshd[1204]: Invalid user mc from 94.25.38.210 port 44058
Dec 20 12:33:07 ggs-live-1gb sshd[1204]: Received disconnect from 94.25.38.210 port 44058:11: Bye Bye [preauth]
Dec 20 12:33:07 ggs-live-1gb sshd[1204]: Disconnected from invalid user mc 94.25.38.210 port 44058 [preauth]
Dec 20 12:34:00 ggs-live-1gb sshd[1214]: Received disconnect from 122.226.181.166 port 46578:11:  [preauth]
Dec 20 12:34:00 ggs-live-1gb sshd[1214]: Disconnected from authenticating user root 122.226.181.166 port 46578 [preauth]
Dec 20 12:34:37 ggs-live-1gb sshd[1216]: Accepted publickey for root from 81.133.250.129 port 58845 ssh2: RSA SHA256:(removed)
Dec 20 12:34:37 ggs-live-1gb sshd[1216]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 20 12:36:16 ggs-live-1gb sshd[1361]: Invalid user vbox from 178.128.97.193 port 33879
Dec 20 12:36:17 ggs-live-1gb sshd[1361]: Received disconnect from 178.128.97.193 port 33879:11: Bye Bye [preauth]
Dec 20 12:36:17 ggs-live-1gb sshd[1361]: Disconnected from invalid user vbox 178.128.97.193 port 33879 [preauth]

Not sure who '94.25.38.210' or '122.226.181.166' are... is this an attack?

Dan382
  • 211
  • 1
  • 3
  • 9

2 Answers2

1

Your droplet allows SSH access to anyone so basically there are people out there scanning entire IP ranges and doing brute-force attacks hoping they're gonna get a username/password match and get access to your server. You should install something like fail2ban which blocks these attacks. Additionally, although not recommended for the reasons* below, you can change the port SSH runs on:

Client Support: Everybody who connects to your server will need to know and use the changed port. If you are in a heavily managed environment, this configuration can be pushed down to the clients, or if you have few enough users it should be easy to communicate.

Documentation Exceptions: Most network devices, such as firewalls and IDSes, are pre-setup for common services to be run on common ports. Any firewall rules related to this service on this device will need to be inspected and possibly modified. Similarly, IDS signatures will be tweaked so as to only perform SSH inspection on port 22. You will need to modify every signature, every time they are updated, with your new port. (As a data point there are currently 136 VRT and ET snort signatures involving SSH).

System Protections: Modern Linuxes often ship with an kernel layer MAC and/or RBAC systems (e.g. SELinux on RedHat based or AppAmor on Debian based) and that are designed to only allow applications to do exactly what they're intended to do. That could range from accessing the /etc/hosts file, to writing to a specific file, or sending a packet out on the network. Depending on how this system is configured it may, by default, forbid sshd from binding to a non-standard port. You would need to maintain a local policy that would allow it.

Other Party Monitoring: If you have an external Information Security division, or outsource monitoring, then they will need to be made aware of the change. When performing a security assessment, or analyzing logs looking for security threats, if I see an SSH server running on a non-standard port (or an SSH server on a non-UNIX/Linux for that matter) I treat it as a potential backdoor and invoke the compromised system part of incident handling procedure. Sometimes it is resolved in 5 minutes after making a call to the administrator and being told it's legitimate, at which point I update documentation, other times it really is badness that gets taken care of. In any event, this can result in down-time for you or, at the least, a nerve racking call when you answer your phone and hear, "Hi, this is Bob from the Information Security Office. I have a few questions for you."

Source for reasons* https://security.stackexchange.com/questions/32308/should-i-change-the-default-ssh-port-on-linux-servers

Mugurel
  • 903
  • 1
  • 9
  • 17
  • Thanks, that's useful information, but why would the website suddenly stop responding? Have DO disabled something to stop the attacks? – Dan382 Dec 20 '18 at 13:51
0

Fail2ban was installed automatically as part of the droplet. Stopping it via this command:

sudo service fail2ban stop

Brought everything back to life...

Now I need to configure fail2ban properly so this doesn't happen again.

Dan382
  • 211
  • 1
  • 3
  • 9