3

I have a dedicated server with public IP address, opened port 22 and fail2ban running. I am using root account (I know it is wrong but I have to) and I have disabled logins with password. I am using an RSA 4096 bit key with key password (10 characters length with mixed letters, numbers and symbols).

Today checking the server and some logs, I saw on the screenshot below 2 Chinese IP addresses and my IP address from my office (for privacy reasons I have blanked my IP address)

netstat screenshot

using last command seems to be the only one that has logged in at system.

Do I have to worry? Are there any tips to better secure my server? (running Ubuntu server Xenial 16.04 LTS)

Michael
  • 2,391
  • 2
  • 19
  • 36
harry
  • 31
  • 2

3 Answers3

5

Anybody can establish a connection to the SSH server which means that this information does not say anything about a successful login. Restricting access to key based authentication only is a wise choice and will prevent the typical password brute force attacks. It will not prevent a simple connect to the SSH server though, but at this stage no real harm is done yet.

As for additional security settings please the the various questions about this topic on this site, like What methods are available for securing SSH?. There is no need to repeat everything here.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Am i safe? Do i have to setup anything else for improved security? any way to monitor access attempts? just saw the edited comment, thanks for the info! – harry Mar 31 '20 at 11:18
  • 1
    @harry: Based on the information you've provided so far one cannot conclude a successful attack. As for additional information about hardening see my updated answer. – Steffen Ullrich Mar 31 '20 at 11:23
  • @harry why not just check out the sshd log and grep for that IP? Moreover, there is not a hope that 4096bit RSA was brute forced. Unless your private key is compromised you are completely safe. (barring an SSH zero day). – Woodstock Mar 31 '20 at 11:51
2

A ESTABLISHED connection on port 22 only means a TCP connection was made, not that a SSH session is active. If you telnet from your office computer to your server on port 22, and not type anything, you will see the Connection Established on netstat. And now that you masked your office and attacker IP's but not your own, expect more people connecting to it.

If you look on your logs, you will very likely see a login failure or a "client disconnected" messages with that Chinese IPs.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
0

This question is not necessarily a duplicate, but there is an interesting discussion around this question that may give some insight as to why you saw Chinese IP addresses connecting.

iraleigh
  • 326
  • 2
  • 11