32
gitpush
7y

thought I'd type:netstat -atn on my server and the result was a bit scary, found a Russian IP address with state of: FIN_WAIT1
Either Fail2ban was closing his connection or that dude was able to access my server :/

Checked /var/log/auth.log
and found this for his IP: Failed password for root from ----- port 37635 ssh2

I hope I'm still safe :)

Instantly disable password login and make it only SSH
but now I need to carry my SSH keys or else I'm blocked out lol

Comments
  • 6
    Well... at least no one else will b able to access ur data as well if u can’t 😆😁
  • 13
    I would be quite surprised if any server with a public IP did not have some penetration attempts almost every hour.

    There are thousands of scripts running through ip ranges trying different common passwords and other intrusion attempts.

    Just seeing a Russian IP is not very special I am afraid :/

    Best defense is a good password or certificate login.

    But a good long unique password is sufficient (12-18 chars minimum)

    About 15 (I think) years ago there was an windows virus spreading.

    Average time from switching on a new computer with public IP you had less than 8 minutes to patch it before at least one infected machine hit yours :/

    That was when MS really started to take security serious and they have come a long way since.
  • 5
    I generally disable the possibility to ssh in as root but as one or more other user/'s which are able to sudo su.
    Most ssh "attacks" I've seen were trying to login as root which is pretty much pointless at that point
  • 2
    I always disable SSH for root and mostly don't use SSH password login for my servers. It's just not very safe, specially if the server is important.
  • 3
    Is root2 sufficiently odd enough? @sslPoodle
  • 4
    from the comments I conclude there is nothing to worry about, just disable root and unusual username and I should be fine. Luckily I installed Fail2ban before it is too late.

    @Electrux @gitoutofhere -.- :p
  • 2
    @sslPoodle I was actually just kidding haha :)
    I suppose the script kiddies that only brute force root access will be blocked with ease anyway so you could pick any name against those.
  • 3
    @linuxxx might be a good help for security on Linux stuffs
  • 2
    Close the connection, disable root and password based login and setup an RSA key login thingy.

    I'd recommend to (I'd do that) reinstall the server if they accesses it through root as they could leave malware on the server.
Add Comment