siemka256 12 Posted November 4, 2014 Share Posted November 4, 2014 Nov 2 21:21:37 sshd[43193]: Invalid user gitlab from 113.107.233.142 Nov 2 21:21:37 sshd[43193]: input_userauth_request: invalid user gitlab [preau th] Nov 2 21:21:37 sshd[43193]: Failed password for invalid user gitlab from 113.1 07.233.142 port 41310 ssh2 Nov 2 21:21:39 sshd[43195]: Failed password for root from 113.107.233.142 port 42352 ssh2 Nov 2 21:21:42 sshd[43197]: Failed password for root from 113.107.233.142 port 43499 ssh2 Nov 2 21:21:44 sshd[43199]: Failed password for root from 113.107.233.142 port 44626 ssh2 Nov 2 21:21:47 sshd[43201]: Invalid user scan from 113.107.233.142 Nov 2 21:21:47 sshd[43201]: input_userauth_request: invalid user scan [preauth ] Nov 2 21:21:47 sshd[43201]: Failed password for invalid user scan from 113.107 .233.142 port 45753 ssh2 Nov 2 21:21:49 sshd[43203]: Invalid user postgres from 113.107.233.142 Nov 2 21:21:49 sshd[43203]: input_userauth_request: invalid user postgres [pre auth] Nov 2 21:21:49 sshd[43203]: Failed password for invalid user postgres from 113 .107.233.142 port 46788 ssh2 Nov 2 21:21:55 sshd[43205]: Invalid user oracle from 113.107.233.142 Nov 2 21:21:55 sshd[43205]: input_userauth_request: invalid user oracle [preau th] Nov 2 21:21:55 sshd[43205]: Failed password for invalid user oracle from 113.1 07.233.142 port 47876 ssh2 Nov 2 21:22:01 sshd[43207]: Invalid user test from 113.107.233.142 Nov 2 21:22:01 sshd[43207]: input_userauth_request: invalid user test [preauth ] Nov 2 21:22:01 sshd[43207]: Failed password for invalid user test from 113.107 .233.142 port 50701 ssh2 Nov 2 21:22:03 sshd[43275]: Invalid user guest from 113.107.233.142 Nov 2 21:22:03 sshd[43275]: input_userauth_request: invalid user guest [preaut h] Nov 2 21:22:03 sshd[43275]: Failed password for invalid user guest from 113.10 7.233.142 port 53065 ssh2 Nov 2 21:22:09 sshd[43277]: Invalid user info from 113.107.233.142 Nov 2 21:22:09 sshd[43277]: input_userauth_request: invalid user info [preauth ] Nov 2 21:22:09 sshd[43277]: Failed password for invalid user info from 113.107 --More--(byte 2659)Nov 2 21:21:49 sshd[43203]: input_userauth_request: invalid user postgres [preauth] Nov 2 21:21:49 sshd[43203]: Failed password for invalid user postgres from 113.107.233.142 port 46788 ssh2 Nov 2 21:21:55 sshd[43205]: Invalid user oracle from 113.107.233.142 Nov 2 21:21:55 sshd[43205]: input_userauth_request: invalid user oracle [preauth] Nov 2 21:21:55 sshd[43205]: Failed password for invalid user oracle from 113.107.233.142 port 47876 ssh2 Nov 2 21:22:01 sshd[43207]: Invalid user test from 113.107.233.142 Nov 2 21:22:01 sshd[43207]: input_userauth_request: invalid user test [preauth] Nov 2 21:22:01 sshd[43207]: Failed password for invalid user test from 113.107.233.142 port 50701 ssh2 Nov 2 21:22:03 sshd[43275]: Invalid user guest from 113.107.233.142 Nov 2 21:22:03 sshd[43275]: input_userauth_request: invalid user guest [preauth] Nov 2 21:22:03 sshd[43275]: Failed password for invalid user guest from 113.107.233.142 port 53065 ssh2 Nov 2 21:22:09 sshd[43277]: Invalid user info from 113.107.233.142 Nov 2 21:22:09 sshd[43277]: input_userauth_request: invalid user info [preauth] Nov 2 21:22:09 sshd[43277]: Failed password for invalid user info from 113.107.233.142 port 54119 ssh2 Nov 2 21:22:11 sshd[43279]: Invalid user tomcat from 113.107.233.142 Nov 2 21:22:11 sshd[43279]: input_userauth_request: invalid user tomcat [preauth] Nov 2 21:22:11 sshd[43279]: Failed password for invalid user tomcat from 113.107.233.142 port 56365 ssh2 I was also getting DDoS on my physical machine before the brute force happened. Link to comment Share on other sites More sharing options...
Rumor 2605 Posted November 4, 2014 Share Posted November 4, 2014 this is common.. I would suggest you disable password authentication and use a key to login. http://metin2dev.org/board/topic/183-basic-ssh-security/ Link to comment Share on other sites More sharing options...
IceShiva 150 Posted November 15, 2014 Share Posted November 15, 2014 It's not a ddos it's a bruteforce attack. Install fail2ban for ssh. Link to comment Share on other sites More sharing options...
Rumor 2605 Posted November 15, 2014 Share Posted November 15, 2014 It's not a ddos it's a bruteforce attack. Install fail2ban for ssh. He said before the bruteforce Link to comment Share on other sites More sharing options...
Management Karbust 4884 Posted November 15, 2014 Management Share Posted November 15, 2014 I'm having this problem to, but the most interesting is I don't have the 22 open on the router, but when I came home I see the freebsd with much logs like that... 1 Link to comment Share on other sites More sharing options...
Premium Zonni 230 Posted November 15, 2014 Premium Share Posted November 15, 2014 I had the same situation whn i have my dev freebsd on my computer opened (and internal ip it's set to work as public ip). Attack from china Link to comment Share on other sites More sharing options...
Mashkin 16 Posted November 16, 2014 Share Posted November 16, 2014 This happens to virtually any host once it is exposed to "teh Internez" for some time. Just like on my private virtual servers: There were 70877 failed login attempts since the last successful login. Last login: Tue Nov 11 11:44:17 2014 Notice that this server was offline the last three days, so in fact this is the number of bruteforce tries for only 72 hours. You can install stuff like fail2ban or do "rate-limiting" on your SSH port, but you should start out by making sure your credentials are secure. This also includes using a personal user, and not root, to login - only switch to root user when necessary using su or sudo. Choosing an unusual name already does alot (e.g. jpryan34 instead of just ryan) since most brute force attacks aim for "standard" names like root, toor, anonymous, apache, mysql, daemon, httpd, nginx - usual daemon/system user names john, jane, lukas, michael, robert - usual first names Link to comment Share on other sites More sharing options...
Rumor 2605 Posted November 17, 2014 Share Posted November 17, 2014 FreeBSD key auth: http://metin2dev.org/board/topic/183-basic-ssh-security/ Debian key auth: http://metin2dev.org/board/topic/3836-ssh-key-authentication-on-debian-7/ Link to comment Share on other sites More sharing options...
siemka256 12 Posted March 20, 2015 Author Share Posted March 20, 2015 I changed port from 22, this could help. If still having brutes then I hop to Key Auth regards, Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted March 20, 2015 Premium Share Posted March 20, 2015 There is a massive amount of computers in China dedicated to scanning vulnerabilities automatically, with the government's consent, even universities in China run these. It's unlikely that they will break in if you are using a decently secure password, but if you are still worried: - change ssh port, automated scans will never look for custom ssh ports - install sshguard - use a key instead of password Link to comment Share on other sites More sharing options...
MetinMyLife 0 Posted November 21, 2015 Share Posted November 21, 2015 On Friday, March 20, 2015, Shogun said: There is a massive amount of computers in China dedicated to scanning vulnerabilities automatically, with the government's consent, even universities in China run these. It's unlikely that they will break in if you are using a decently secure password, but if you are still worried: - change ssh port, automated scans will never look for custom ssh ports - install sshguard - use a key instead of password #confirm Link to comment Share on other sites More sharing options...
monsune 3 Posted December 8, 2015 Share Posted December 8, 2015 It's a well known fact that chinese scan ports, brute force and exploit like crazy. It will help alot if you just drop whole China in your firewall. It's not hard to do - just dig up chinese ip networks and block them. And the first thing you should do is to install a simple and rather nice tool: http://www.sshguard.net/ Or if you have a little more admin experience then go for: https://www.snort.org/ There are also other good methods to screw scanners e.g. port knocking or just use key-based auth as suggested above. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now