Jump to content
Forgot your email address? ×
×
×
  • Create New...
  • 0

Chinese attackers


siemka256

Question

Nov  2 21:21:37  sshd[43193]: Invalid user gitlab from 113.107.233.142
Nov  2 21:21:37  sshd[43193]: input_userauth_request: invalid user gitlab [preau                                                         th]
Nov  2 21:21:37  sshd[43193]: Failed password for invalid user gitlab from 113.1                                                         07.233.142 port 41310 ssh2
Nov  2 21:21:39  sshd[43195]: Failed password for root from 113.107.233.142 port                                                          42352 ssh2
Nov  2 21:21:42  sshd[43197]: Failed password for root from 113.107.233.142 port                                                          43499 ssh2
Nov  2 21:21:44  sshd[43199]: Failed password for root from 113.107.233.142 port                                                          44626 ssh2
Nov  2 21:21:47  sshd[43201]: Invalid user scan from 113.107.233.142
Nov  2 21:21:47  sshd[43201]: input_userauth_request: invalid user scan [preauth                                                         ]
Nov  2 21:21:47  sshd[43201]: Failed password for invalid user scan from 113.107                                                         .233.142 port 45753 ssh2
Nov  2 21:21:49  sshd[43203]: Invalid user postgres from 113.107.233.142
Nov  2 21:21:49  sshd[43203]: input_userauth_request: invalid user postgres [pre                                                         auth]
Nov  2 21:21:49  sshd[43203]: Failed password for invalid user postgres from 113                                                         .107.233.142 port 46788 ssh2
Nov  2 21:21:55  sshd[43205]: Invalid user oracle from 113.107.233.142
Nov  2 21:21:55  sshd[43205]: input_userauth_request: invalid user oracle [preau                                                         th]
Nov  2 21:21:55  sshd[43205]: Failed password for invalid user oracle from 113.1                                                         07.233.142 port 47876 ssh2
Nov  2 21:22:01  sshd[43207]: Invalid user test from 113.107.233.142
Nov  2 21:22:01  sshd[43207]: input_userauth_request: invalid user test [preauth                                                         ]
Nov  2 21:22:01  sshd[43207]: Failed password for invalid user test from 113.107                                                         .233.142 port 50701 ssh2
Nov  2 21:22:03  sshd[43275]: Invalid user guest from 113.107.233.142
Nov  2 21:22:03  sshd[43275]: input_userauth_request: invalid user guest [preaut                                                         h]
Nov  2 21:22:03  sshd[43275]: Failed password for invalid user guest from 113.10                                                         7.233.142 port 53065 ssh2
Nov  2 21:22:09  sshd[43277]: Invalid user info from 113.107.233.142
Nov  2 21:22:09  sshd[43277]: input_userauth_request: invalid user info [preauth                                                         ]
Nov  2 21:22:09  sshd[43277]: Failed password for invalid user info from 113.107                                                         --More--(byte 2659)Nov  2 21:21:49  sshd[43203]: input_userauth_request: invalid user postgres [preauth]
Nov  2 21:21:49  sshd[43203]: Failed password for invalid user postgres from 113.107.233.142 port 46788 ssh2
Nov  2 21:21:55  sshd[43205]: Invalid user oracle from 113.107.233.142
Nov  2 21:21:55  sshd[43205]: input_userauth_request: invalid user oracle [preauth]
Nov  2 21:21:55  sshd[43205]: Failed password for invalid user oracle from 113.107.233.142 port 47876 ssh2
Nov  2 21:22:01  sshd[43207]: Invalid user test from 113.107.233.142
Nov  2 21:22:01  sshd[43207]: input_userauth_request: invalid user test [preauth]
Nov  2 21:22:01  sshd[43207]: Failed password for invalid user test from 113.107.233.142 port 50701 ssh2
Nov  2 21:22:03  sshd[43275]: Invalid user guest from 113.107.233.142
Nov  2 21:22:03  sshd[43275]: input_userauth_request: invalid user guest [preauth]
Nov  2 21:22:03  sshd[43275]: Failed password for invalid user guest from 113.107.233.142 port 53065 ssh2
Nov  2 21:22:09  sshd[43277]: Invalid user info from 113.107.233.142
Nov  2 21:22:09  sshd[43277]: input_userauth_request: invalid user info [preauth]
Nov  2 21:22:09  sshd[43277]: Failed password for invalid user info from 113.107.233.142 port 54119 ssh2
Nov  2 21:22:11  sshd[43279]: Invalid user tomcat from 113.107.233.142
Nov  2 21:22:11  sshd[43279]: input_userauth_request: invalid user tomcat [preauth]
Nov  2 21:22:11  sshd[43279]: Failed password for invalid user tomcat from 113.107.233.142 port 56365 ssh2

 
I was also getting DDoS on my physical machine before the brute force happened.
Link to comment

11 answers to this question

Recommended Posts

  • 0

This happens to virtually any host once it is exposed to "teh Internez" for some time.

Just like on my private virtual servers:

There were 70877 failed login attempts since the last successful login.
Last login: Tue Nov 11 11:44:17 2014

Notice that this server was offline the last three days, so in fact this is the number of bruteforce tries for only 72 hours.

 

You can install stuff like fail2ban or do "rate-limiting" on your SSH port, but you should start out by making sure your credentials are secure.

This also includes using a personal user, and not root, to login - only switch to root user when necessary using su or sudo.

Choosing an unusual name already does alot (e.g. jpryan34 instead of just ryan) since most brute force attacks aim for "standard" names like

  • root, toor, anonymous, apache, mysql, daemon, httpd, nginx - usual daemon/system user names
  • john, jane, lukas, michael, robert - usual first names
Link to comment
  • 0
  • Premium

There is a massive amount of computers in China dedicated to scanning vulnerabilities automatically, with the government's consent, even universities in China run these.

 

It's unlikely that they will break in if you are using a decently secure password, but if you are still worried:

 

- change ssh port, automated scans will never look for custom ssh ports

- install sshguard

- use a key instead of password

 

 

Link to comment
  • 0
On Friday, March 20, 2015, Shogun said:

There is a massive amount of computers in China dedicated to scanning vulnerabilities automatically, with the government's consent, even universities in China run these.

 

It's unlikely that they will break in if you are using a decently secure password, but if you are still worried:

 

- change ssh port, automated scans will never look for custom ssh ports

- install sshguard

- use a key instead of password

#confirm

 

Link to comment
  • 0

It's a well known fact that chinese scan ports, brute force and exploit like crazy. It will help alot if you just drop whole China in your firewall. It's not hard to do - just dig up chinese ip networks and block them.

And the first thing you should do is to install a simple and rather nice tool: http://www.sshguard.net/

Or if you have a little more admin experience then go for: https://www.snort.org/

There are also other good methods to screw scanners e.g. port knocking or just use key-based auth as suggested above.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Announcements

  • -15% Discount in Metin2 Dev Store (01/10/2021 => 31/12/2021) => Code => 15_PCT_OCT_TO_DEC_2021


Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.