2

Hi I'm kinda new in "having own server". My server got recently turned off. Everything is working by now but when opened logs I was shocked. I don't exactly know what's in there but it looks like some kind of DDOS attack. Some attempting users have even username bot,bot2... My ufw log is "spammed" too. Ufw was blocking IP addresses. I don't recognize any IP address in log.

Here is small piece of log:

Apr  6 20:39:20 Hl-Server sshd[5107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.86.23.82
Apr  6 20:39:21 Hl-Server sshd[5107]: Failed password for invalid user applmgr from 110.86.23.82 port 1121 ssh2
Apr  6 20:39:22 Hl-Server sshd[5107]: Received disconnect from 110.86.23.82 port 1121:11: Normal Shutdown, Thank you for playing [preauth]
Apr  6 20:39:22 Hl-Server sshd[5107]: Disconnected from 110.86.23.82 port 1121 [preauth]
Apr  6 20:45:01 Hl-Server CRON[5110]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr  6 20:45:01 Hl-Server CRON[5110]: pam_unix(cron:session): session closed for user root
Apr  6 20:46:05 Hl-Server sshd[5113]: Invalid user wp-user from 221.229.166.102

Thank's for help.

tk421
  • 5,775
  • 6
  • 23
  • 34
Peter Hogya
  • 73
  • 7
  • 2
    This is not a DDOS attack, but a simple brute force attack. Happens on a daily base. Nothing serious. Best is to change the port for the ssh server from the standard port to something unexpected. – arkascha Apr 06 '18 at 19:37
  • 1
    Some change the port for ssh to try to prevent this, here is an article about it https://www.dropbit.ch/change-ssh-port-centos-7/ And/Or setup fail2ban https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 some consider changing the port a bad practice, some do not. – jtzero Apr 06 '18 at 19:40

1 Answers1

1

Things to consider when "having your own server" to lower the change of a server breach via SSH:

1. Create a "normal" user if you only login with root via SSH

adduser demo

then add sudo privilegies to the the newly added user

visudo

append

demo    ALL=(ALL:ALL) ALL

after 

# User privilege specification
root    ALL=(ALL:ALL) ALL

2. Change SSH port

nano /etc/ssh/sshd_config

change Port 22 to something higher, like Port 25000

3. Don't allow root login

in the same config file, change PermitRootLogin yes to PermitRootLogin no

4. reload SSH 

reload ssh

5. Other things to consider

  1. allow only login by private key
  2. installing fail2ban

References:
Digitalocean initial server setup
Digitalocean how to configure ssh key based authentication
Digitalocean how to protect ssh with fail2ban

Binar Web
  • 867
  • 1
  • 11
  • 26