-4

I recently started running a personal site on a dedicated server that i've had for some time, but have never actually used. I have never checked it's logs, but now when i do, auth.log is full with random ssh connection attempts from Chinese, Russian, Ukrainian, Azerbeijanian and etc. IPs. I got curious and checked the logs on another server that i recently acquired, and it's the same story there. I've resorted to Draconian measures(i've blocked all Chinese IPs), but one thing keeps bugging me:

How do they pick their targets? And how did they find me? Do they just throw themselves at random IPs? (I think it wouldn't be very useful to try to connect via SSH on port 22 on some random home router, so that doesn't sound logical)

And on a sidenote(maybe too big of a sidenote, but still), is what i did(blocked all traffic except on ports 22, 80, 443 and 8080 + all the IPs that i've caught + all Chinese IPs, and removed root ssh login) enough to combat them or am i still at risk?

Adrian Todorov
  • 155
  • 5
  • http://serverfault.com/questions/735032/logs-received-disconnect-from-without-the-accepted-couterpart/735038#735038 – Froggiz Nov 10 '15 at 13:15
  • I know what they are trying to do, my question is where do they find their targets from? – Adrian Todorov Nov 10 '15 at 13:18
  • 1
    "I think it wouldn't be very useful to try to connect via SSH on port 22 on some random home router" Then you would be wrong. :) Home routers are *great* targets for exploitation. – jscott Nov 10 '15 at 13:19
  • 1
    [Secure your ssh server](https://stribika.github.io/2015/01/04/secure-secure-shell.html) which will also get rid of the vast majority of bots. – Michael Hampton Nov 10 '15 at 13:25
  • 1
    `Where do the Chinese, Russian and etc. random attackers find their targets?` - On the internet. Is your server on the internet? If so, then that's where they found it. – joeqwerty Nov 10 '15 at 19:45
  • "How do they pick their targets?" They attack every possible public IPv4 IP in an automated, distributed manner. – ceejayoz Nov 11 '15 at 16:20

2 Answers2

4

The fact that it's connected to the Internet means it's at risk. IP sweeps are common and not all that difficult to do. Once they have IPs that respond they start blasting known attacks at it. Even if they only have a .1% success rate that could be dozens or hundreds of compromised systems per day.

David King
  • 476
  • 2
  • 6
2

They are using bots

It is a range scan, they scan almost all ip worldwide, targets are found from all existing ip range (from 0.0.0.0 to 255.255.255.255) you are just one number in thoose ranges.

If a port answer as opened, the bot will try all attempt known to try to get in.

Froggiz
  • 3,013
  • 1
  • 18
  • 30