41

I just discovered my server being brute forced over SSH by over 25 different IPs per minute. WHAT THE FUCK?! It's not even a public website... Now I installed fail2ban.

Comments
  • 9
    @zlice No. Those damned Russians
  • 3
    Had that too
  • 1
    @zlice yeah the majority comes from china
  • 2
    @nobes Why the fuck do people do this?
  • 2
    @zlice not for long my friend.. Not for long.
  • 1
    @zlice Thinking about just blocking SSH by disabling Port forwarding...
  • 2
    @hypervtechnics or limit it to your IP range.🤔
  • 9
    Thats common. Nothing usual
  • 2
    @Linux Yeah I fully isolated my ssh port now from outerhome networks... Not having a good feeling about that
  • 8
    @hypervtechnics
    Use key, fail2ban and long password and you are ok:)
  • 2
    I have a lot of Chinese access to wp-login - and I don't even use WP.
  • 1
    @Linux thinking about to isolate everything and using a vpn
  • 2
    @Fast-Nop relax, it was probably just a scraping bot looking for vulnerabilities.
  • 1
    Step 1: fail2ban
    Step 2: strike back
    Step 3: ???
    Step 4: profit!
  • 1
    @endor How to strike back?
  • 2
    @hypervtechnics never tried it, but I guess you could try ssh-ing into those servers? Maybe see what's inside them, and if they're just boxes dedicated to botnets go haywire (or try to work your way up the hierarchy?).
    Can't think of other stuff on the spot, but I'm sure there's more
  • 2
    @endor na not atm. Maybe later if I am bored for 3 weeks
  • 2
    @bioDan that's what I assumed simply because economically, I'm not worth manual hacker effort.
  • 4
    I also had this, china, russia, india, all over the place. I guess they just try random ips and if there's a response on port 22, they point a botnet at it...
  • 3
    @Fast-Nop if they find any vulnerabilities a hacker may be inclined to not give a fuck.

    You are precious and your data is precious, even if you can't see it right now. Take good care
  • 2
    @bioDan yeah, if the automated search finds a hole, then it could alert its owners that there's a target, even if it's "just" for abusing the mail as spam relay. Or for installing miners. But the initial scan won't be specific - that's unlike, say, Paypal or so.

    Since my "CMS" (actually abuse of the C preprocessor) is running offline, I don't have to think about WP vulnerabilities. :-)
  • 5
    General question for people in the thread: if I use an SSH key am I okay in terms of brute forcing?
  • 1
    Why not just ignore them? It's their time to waste.
  • 3
    @GMR516 short answer, yes. Long answer no... 😂
  • 3
    @liquid-dev Long answer explanation? I obviously don’t want to be hacked.
  • 3
    @GMR516 I'd recommend fail2ban. If you're looking for a paid solution, I'd go with imunify360.

    As for the short yes, long no: ssh keys makes it way harder to crack as there is a magnitude of possibilities more to crack. However with enough time and ressources still technically possible. And that's where fail2ban comes in. It scans the logs and bans those ip that try to do stuff. Another reason for the long no, could be your key. If it's lost/stollen/published to github/... An atacker can simply get in.
  • 2
    @Wack I’ll research fail2ban with namecheap hosting. Thanks! Do you think using a password for the SSH key file is good as well?
  • 3
    If you have ssh reachable from the internet, you WILL be brute forced! In my experience, it starts in about 30 seconds from being available.
  • 4
    @GMR516 you should use a password on your ssh key. If you loose your key, or someone steals it, they won't be able to use it.

    However, I don't follow this best practice every time... so... Yeah... You should ;)
  • 2
    @Linux Yup. Most of my servers get 20K+ failed attempts every day.

    New one on which csf hasn’t blocked anything yet 😶
  • 3
    @GMR516 ssh with key login and the key having a strong password/phrase is good!

    And I personally would like any ip attacking me to be blocked :)

    I don’t use fail2ban myself but CSF because that’s an easy way to manage a firewall and has more advanced features.
  • 3
    I use CSF too to block those fuckheads from my servers.

    At work we have a server which is hosting a website which has been compromised before they came to us (we rebuild the website, so as far as I know, there are no vulnerabilities anymore). Once I had to fix something with CSF and had to disable it for like 30 seconds. In that 30 seconds the website/server got so many requests, which are not being blocked by CSF, that the server start shutting down...

    I've learned from that...
  • 1
    Its always a good idea to not open any port to the entire world. Restricting SSH access only to your IP is the way to go. And if you've to open port 80, keep that too behind a loadbalancer.

    Why do people do this. Well i got to know one reason, through a personal experience. I had one of the ports open (running an application on default port). The attackers didn't have anything against me personally. They just had a ready made script that'll do port scanning and depending upon the port and what application runs on that by default, try to utilise vulnerabilities in that application.

    Long story short, the attacker just ran a script to mine some Bitcoins.
  • 1
    @gymmerDeveloper That would require even more Hardware.. :D
  • 1
    @hypervtechnics well VMs and cloud is the way i generally do. But security is more to do with your personal ego. Of late security has been made so ego centric that i fail to understand certain things. Like for example if you are not running an application that involves personal data of users or other sensitive data, being not breached is not going to be very high on your priority list.

    But those around make you feel really as if it should always be very important. And this is mostly people who are in the job of preventing breaches. Its their business and their survival tactic for that.
Add Comment