1

I'm a cyber security student and don't do server stuffs on regular basis, I was just wondering how to check SSH login logs and found that it can be checked using sudo cat /var/log/auth.log and checked on my server and there were lots of Failed password for root from [IP] This is a newly installed remote server there's no way I could have logged so many times.

Then I read it carefully it says Failed password for root from [IP] I was like what? Its for root? I have created my separate user account and except the first time when I had to create a new user account I have never touch root user. It seems to me someone is trying his luck by bruteforcing for credentials. Still, I wanted to ask my seniors here what they think?

I've nothing running on this server not even apache, nginx etc. Only SSH port is open and AFAIK there's no recent SSH vulnerability in public knowledge.

And one more important thing I wanted to ask is, being a security student this really grabs my attention and makes me more curious to understand about this. Why would someone run scripts to bruteforce and scan new servers? I mean what would he get, there's barely anything in my case. Initially, I thought maybe he wants to spread malware using my server but if someone has the resources to scan the entire internet he surely has resources to do that himself. Maybe he just want to add servers into his list of compromised servers and use all of them together as a botnet, so many thing going on my mind. What would he do with a new server?

EDIT: Something I realized today is, as security student I was understanding things from offensive side. Now when I have setup my server I really understand the need to know things from defensive side as a pentester. If any student reading this, I would say understand defensive side as well. I would also learn from now.

John
  • 13
  • 2
  • 1
    The Mirai botnet was just a bunch of cameras with weak telnet credentials. I wouldn't be surprised if there were devices with weak SSH passwords (I have an industrial Ethernet switch on my desk that I have root SSH login access to, the password is 8 characters long) that have botnets running on them. You might think those embedded devices are useless, but when you have a ton of them and use reflection attacks to multiply your bandwidth then it can be pretty devastating. – user Jan 09 '20 at 19:25
  • Key based authentication beats a strong password any day of the week. It's better to disable password-based logins all together. – Conor Mancone Jan 09 '20 at 20:43
  • 1
    Does this answer your question? [Invalid users trying to log in to my server](https://security.stackexchange.com/questions/21027/invalid-users-trying-to-log-in-to-my-server) – Conor Mancone Jan 09 '20 at 20:43

1 Answers1

4

It seems to me someone is trying his luck by bruteforcing for credentials.

Yes, that's the likely cause. Any machine connected to the Internet and listening to SSH will be hammered with login attempts, especially for root.

AFAIK there's no recent SSH vulnerability in public knowledge.

Correct. They're just hoping you have a weak, guessable password.

Why would someone run scripts to bruteforce and scan new servers? ...What would he do with a new server?

Because all servers are useful - as members of a botnet, if nothing else. If they get in, they may use it to scan the Internet looking for weak SSH credentials!

Because some servers are valuable - hey, look, credit card info! - and the attacker doesn't know if yours is valuable or not until he owns it. He won't ignore servers just because they might be less valuable.

Because some servers have access to other servers that aren't publicly available.

Because more is better.

The lesson to learn is that every system on the Internet is a target, all the time. As a security student, that is what you must learn to expect.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I don't have weak SSH credentials but there maybe some people with very weak credentials. I think this bruteforcing issue can be easily solved by the server provider. Can't they implement rate limiting and prevent this? – John Jan 09 '20 at 19:43
  • 2
    @John [fail2ban](https://www.fail2ban.org) is pretty popular. – user Jan 09 '20 at 19:58
  • 1
    @John [this answer](https://security.stackexchange.com/a/21039/3365) lists a number of defensive steps you can take. – gowenfawr Jan 09 '20 at 20:07