0

I have an Ubuntu server; first I ran into this, as I couldn't log in via ssh at all:

ssh connection takes forever to initiate, stuck at "pledge: network"

After a hard reboot, I could log in - but everything executes extremely slow on the server - even if top said there is only about 1% CPU utilization.

When I tried to do update, it got to here:

$ sudo apt update

Hit:1 http://dk.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://dk.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://dk.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]

... and now it is stuck, still waiting for the command to complete.

I managed to run:

$ grep Failed /var/log/auth.log
...
Apr 23 10:54:14 myserv sshd[1994]: Failed password for root from ::1 port 50182 ssh2
Apr 23 10:54:14 myserv sshd[1992]: Failed password for invalid user pt from ::1 port 50180 ssh2

... so clearly something is trying to brute-force into ssh.

Basically, I would have tried to use fail2ban - however, the IP address reported is ::1, which as I can see, is usually whitelisted in fail2ban.

Is it possible to inspect where are these attempts coming from - and possibly mitigate them via fail2ban (or something similar)?

sdaau
  • 101
  • 1
  • 1
    There's no place like `::1`. The login attempts are coming from your localhost, so they are already in somehow. – Esa Jokinen Apr 23 '20 at 09:27
  • 1
    I never allow port 22 or even 2222 to be used for SSH and only allows specific users with strong passwords. I know that's not much comfort now, but if you resolve it consider a different & random port, allow specific users and even lock it down to IP addresses if possible. I think @EsaJokinen is correct, either they are in already or have been in and deployed code. – Admiral Noisy Bottom Apr 23 '20 at 09:56
  • 1
    There is more evidence of a brute force (or any) attack. The problem likely lies elsewhere. DNS? Firewall? What is the contents if /etc/resolved.conf? What dies ping www.google.com return? – davidgo Apr 23 '20 at 09:56
  • Thanks for that, all - was not aware `::1` refers to localhost; looks like I've had a port forward of port 22 enabled somewhere ... thankfully there is no critical data on that server, so I'll try to reinstall it eventually. – sdaau Apr 23 '20 at 10:03
  • This is quite unusual and I would bet on a port forwarding too (your router maybe). Makes no sense to brute force SSH when you are already inside the machine. – Kate Apr 23 '20 at 13:28

1 Answers1

0

::1 is the loopback address in IPv6. The equivalent of 127.0.0.1 for IPv4.

Your server cannot brute-fore itself. If your server has been compromised, you should completely reinstall it.

As a general recommendation, try to use a different than default SSH port.

Overmind
  • 2,970
  • 2
  • 15
  • 24