0

I don't do server stuffs on regular basis, I was just wondering how to check SSH login logs and found that it can be checked using sudo cat /var/log/auth.log and checked on my server and there were lots of Failed password for root from [IP] This is a newly installed remote server there's no way I could have logged so many times.

Then I read it carefully it says Failed password for root from [IP] I was like what? Its for root? I have created my separate user account and except the first time when I had to create a new user account I have never touch root user. It seems to me someone is trying his luck by bruteforcing for credentials. Still, I wanted to be sure so asking here.

John
  • 1
  • 1
    Of course. As soon as you connect _anything_ to the public Internet, the bots are trying to break in. That is completely normal. – Ron Maupin Jan 09 '20 at 18:46
  • That's what I thought but since am not much into server stuffs I thought to ask professionals. These are just bots trying their luck by bruteforcing, right? – John Jan 09 '20 at 18:47
  • Some do, and some have other tricks, trying different weaknesses. That is why we have firewalls. – Ron Maupin Jan 09 '20 at 18:48
  • Apart from SSH, I don't have any port open. There's not even any web server running like apache etc. I don't understand what you mean by other tricks? I'm a cyber security student and having an idea about those "other tricks" would help me – John Jan 09 '20 at 18:50
  • That may not matter. OSes often have weaknesses, and we get zero-day attacks when someone discovers a new one before the vendor can release a patch. – Ron Maupin Jan 09 '20 at 18:53
  • Sorry if this sound stupid, what do you think those people would do with new servers, if their bot finds right credentials even then they won't get anything because its a new blank server with very basic things. Initially, I thought maybe they would spread malware of something with this but that may not be the case because if they have resources to scan and bruteforce the entire internet they probably already have resources to do that as well. What can be their purpose? – John Jan 09 '20 at 18:59
  • @john "tricks" is a massive topic meaning "breaks cyber security" and can't be answered as an su answer, let alone topic, and SSH is relatively secure. One trick for ssh would be to detect the version of SSH. A (long ago fixed) remote exploit was https://www.tenable.com/cve/CVE-2008-0166 – davidgo Jan 09 '20 at 19:00
  • You should really take such things to the sister site, [security.se]. You can get a big education on things. Remember the whole problem with the two weaknesses that were discovered with MikroTik routers where tens of thousands were compromise? The router control plane didn't have any open ports either. A good guy used the weaknesses to update them because people were not doing it themselves, but he got in trouble for that. – Ron Maupin Jan 09 '20 at 19:05
  • Thanks @RonMaupin posting on the sister site, would you love to answer there (if yes please let me know so I leave a link to question here as soon as I post) – John Jan 09 '20 at 19:07
  • I will leave the answers there to the experts. I'm a regular network guy, and security is a whole different ballgame that requires a particular expertise. I know enough to know what to do, but I leave the security to the specialists. – Ron Maupin Jan 09 '20 at 19:09
  • No worries, thanks anyway. – John Jan 09 '20 at 19:10
  • It may not just be a software flaw that opens you up to exploitation. [This flaw](https://www.zdnet.com/article/hundreds-of-millions-of-cable-modems-are-vulnerable-to-new-cable-haunt-vulnerability/) is based on a network chip bug. A firewall puts you one step back, and you can have one that updates itself with a subscription if you do not have a dedicated perimeter team. – Ron Maupin Jan 10 '20 at 20:27

0 Answers0