Chinese attackers

[siemka256 12]

Nov  2 21:21:37  sshd[43193]: Invalid user gitlab from 113.107.233.142
Nov  2 21:21:37  sshd[43193]: input_userauth_request: invalid user gitlab [preau                                                         th]
Nov  2 21:21:37  sshd[43193]: Failed password for invalid user gitlab from 113.1                                                         07.233.142 port 41310 ssh2
Nov  2 21:21:39  sshd[43195]: Failed password for root from 113.107.233.142 port                                                          42352 ssh2
Nov  2 21:21:42  sshd[43197]: Failed password for root from 113.107.233.142 port                                                          43499 ssh2
Nov  2 21:21:44  sshd[43199]: Failed password for root from 113.107.233.142 port                                                          44626 ssh2
Nov  2 21:21:47  sshd[43201]: Invalid user scan from 113.107.233.142
Nov  2 21:21:47  sshd[43201]: input_userauth_request: invalid user scan [preauth                                                         ]
Nov  2 21:21:47  sshd[43201]: Failed password for invalid user scan from 113.107                                                         .233.142 port 45753 ssh2
Nov  2 21:21:49  sshd[43203]: Invalid user postgres from 113.107.233.142
Nov  2 21:21:49  sshd[43203]: input_userauth_request: invalid user postgres [pre                                                         auth]
Nov  2 21:21:49  sshd[43203]: Failed password for invalid user postgres from 113                                                         .107.233.142 port 46788 ssh2
Nov  2 21:21:55  sshd[43205]: Invalid user oracle from 113.107.233.142
Nov  2 21:21:55  sshd[43205]: input_userauth_request: invalid user oracle [preau                                                         th]
Nov  2 21:21:55  sshd[43205]: Failed password for invalid user oracle from 113.1                                                         07.233.142 port 47876 ssh2
Nov  2 21:22:01  sshd[43207]: Invalid user test from 113.107.233.142
Nov  2 21:22:01  sshd[43207]: input_userauth_request: invalid user test [preauth                                                         ]
Nov  2 21:22:01  sshd[43207]: Failed password for invalid user test from 113.107                                                         .233.142 port 50701 ssh2
Nov  2 21:22:03  sshd[43275]: Invalid user guest from 113.107.233.142
Nov  2 21:22:03  sshd[43275]: input_userauth_request: invalid user guest [preaut                                                         h]
Nov  2 21:22:03  sshd[43275]: Failed password for invalid user guest from 113.10                                                         7.233.142 port 53065 ssh2
Nov  2 21:22:09  sshd[43277]: Invalid user info from 113.107.233.142
Nov  2 21:22:09  sshd[43277]: input_userauth_request: invalid user info [preauth                                                         ]
Nov  2 21:22:09  sshd[43277]: Failed password for invalid user info from 113.107                                                         --More--(byte 2659)Nov  2 21:21:49  sshd[43203]: input_userauth_request: invalid user postgres [preauth]
Nov  2 21:21:49  sshd[43203]: Failed password for invalid user postgres from 113.107.233.142 port 46788 ssh2
Nov  2 21:21:55  sshd[43205]: Invalid user oracle from 113.107.233.142
Nov  2 21:21:55  sshd[43205]: input_userauth_request: invalid user oracle [preauth]
Nov  2 21:21:55  sshd[43205]: Failed password for invalid user oracle from 113.107.233.142 port 47876 ssh2
Nov  2 21:22:01  sshd[43207]: Invalid user test from 113.107.233.142
Nov  2 21:22:01  sshd[43207]: input_userauth_request: invalid user test [preauth]
Nov  2 21:22:01  sshd[43207]: Failed password for invalid user test from 113.107.233.142 port 50701 ssh2
Nov  2 21:22:03  sshd[43275]: Invalid user guest from 113.107.233.142
Nov  2 21:22:03  sshd[43275]: input_userauth_request: invalid user guest [preauth]
Nov  2 21:22:03  sshd[43275]: Failed password for invalid user guest from 113.107.233.142 port 53065 ssh2
Nov  2 21:22:09  sshd[43277]: Invalid user info from 113.107.233.142
Nov  2 21:22:09  sshd[43277]: input_userauth_request: invalid user info [preauth]
Nov  2 21:22:09  sshd[43277]: Failed password for invalid user info from 113.107.233.142 port 54119 ssh2
Nov  2 21:22:11  sshd[43279]: Invalid user tomcat from 113.107.233.142
Nov  2 21:22:11  sshd[43279]: input_userauth_request: invalid user tomcat [preauth]
Nov  2 21:22:11  sshd[43279]: Failed password for invalid user tomcat from 113.107.233.142 port 56365 ssh2

 

I was also getting DDoS on my physical machine before the brute force happened.

[Rumor 2549]

this is common.. 

 

I would suggest you disable password authentication and use a key to login.

 

http://metin2dev.org/board/topic/183-basic-ssh-security/

[IceShiva 145]

It's not a ddos it's a bruteforce attack. Install fail2ban for ssh.

[Rumor 2549]

It's not a ddos it's a bruteforce attack. Install fail2ban for ssh.

 

He said before the bruteforce

[Karbust 4736]

I'm having this problem to, but the most interesting is I don't have the 22 open on the router, but when I came home I see the freebsd with much logs like that...

[Zonni 224]

I had the same situation whn i have my dev freebsd on my computer opened (and internal ip it's set to work as public ip). Attack from china

[Mashkin 16]

This happens to virtually any host once it is exposed to "teh Internez" for some time.

Just like on my private virtual servers:

There were 70877 failed login attempts since the last successful login.
Last login: Tue Nov 11 11:44:17 2014

Notice that this server was offline the last three days, so in fact this is the number of bruteforce tries for only 72 hours.

 

You can install stuff like fail2ban or do "rate-limiting" on your SSH port, but you should start out by making sure your credentials are secure.

This also includes using a personal user, and not root, to login - only switch to root user when necessary using su or sudo.

Choosing an unusual name already does alot (e.g. jpryan34 instead of just ryan) since most brute force attacks aim for "standard" names like

• root, toor, anonymous, apache, mysql, daemon, httpd, nginx - usual daemon/system user names
• john, jane, lukas, michael, robert - usual first names

[Rumor 2549]

FreeBSD key auth: http://metin2dev.org/board/topic/183-basic-ssh-security/

Debian key auth: http://metin2dev.org/board/topic/3836-ssh-key-authentication-on-debian-7/

[siemka256 12]

I changed port from 22, this could help.

 

If still having brutes then I hop to Key Auth

 

regards,

[Shogun 4483]

There is a massive amount of computers in China dedicated to scanning vulnerabilities automatically, with the government's consent, even universities in China run these.

 

It's unlikely that they will break in if you are using a decently secure password, but if you are still worried:

 

- change ssh port, automated scans will never look for custom ssh ports

- install sshguard

- use a key instead of password

[MetinMyLife 0]

On Friday, March 20, 2015, Shogun said:

There is a massive amount of computers in China dedicated to scanning vulnerabilities automatically, with the government's consent, even universities in China run these.

 

It's unlikely that they will break in if you are using a decently secure password, but if you are still worried:

 

- change ssh port, automated scans will never look for custom ssh ports

- install sshguard

- use a key instead of password

#confirm

 

[monsune 3]

It's a well known fact that chinese scan ports, brute force and exploit like crazy. It will help alot if you just drop whole China in your firewall. It's not hard to do - just dig up chinese ip networks and block them.

And the first thing you should do is to install a simple and rather nice tool: http://www.sshguard.net/

Or if you have a little more admin experience then go for: https://www.snort.org/

There are also other good methods to screw scanners e.g. port knocking or just use key-based auth as suggested above.