0

So, one day, I decide to check the ssh server logs. Did so, and found something odd.
There were about 3 different ips trying to brute-force guess the root password? What should i do, if anything?
PS: IP is: 187.141.70.67, and from mexico? The other 2 ips were similar, and from china, so I thought they were bots. Not sure.

Sorry if this is a stupid question. I did shut down the ssh server.

Lee Ikard
  • 53
  • 3
  • 1
    If you only got three IP addresses trying to break in, you're either exceptionally lucky, or just turned the server on. This is part of life on the (IPv4) Internet. – Michael Hampton Oct 30 '16 at 03:05
  • Still, it's concerning, especially the origin. It isnt even big ; it's just my private little server for me and my friends... – Lee Ikard Oct 30 '16 at 05:02
  • 2
    Possible duplicate of [Preventing brute force attacks against ssh?](http://serverfault.com/questions/4188/preventing-brute-force-attacks-against-ssh) – Jakuje Oct 30 '16 at 08:07

1 Answers1

1

Several things you should do:

  1. Disable root logons via SSH (/etc/ssh/sshd_config PermitRootLogin no)
  2. If you can - disable password auth. Leave only ssh keys auth. (/etc/ssh/sshd_config PasswordAuthentication no)
  3. Use IDS (intrusion detection system). One example could be ossec
    http://ossec.github.io/
  4. Use fail2ban http://www.fail2ban.org/
  5. You can integrate ossec with fail2ban so in case ossec detects certain patterns, your fail2ban will fire up and block remote IP. For basic ssh protection it's not needed, this is rather for more advanced cases.
Dmitry Zayats
  • 1,378
  • 6
  • 7