[SOLVED] Chineese ip address trying to access root, what to do?
#1
Here is some logs that worries me . its trying access my vps,
am_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.211.94  user=root
Jan 26 10:03:52  sshd[2070]: Failed password for root from 58.218.211.94 port 34795 ssh2
Jan 26 10:03:52  sshd[2068]: Failed password for root from 221.194.47.208 port 57479 ssh2
Jan 26 10:03:54  sshd[2070]: Failed password for root from 58.218.211.94 port 34795 ssh2
Jan 26 10:03:54  sshd[2068]: Failed password for root from 221.194.47.208 port 57479 ssh2
Jan 26 10:03:54  sshd[2068]: Received disconnect from 221.194.47.208 port 57479:11:  [preauth]
Jan 26 10:03:54  sshd[2068]: Disconnected from 221.194.47.208 port 57479 [preauth]
Jan 26 10:03:54  sshd[2068]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.47.208  user=root
Jan 26 10:03:56  sshd[2070]: Failed password for root from 58.218.211.94 port 34795 ssh2
Jan 26 10:03:56  sshd[2070]: Received disconnect from 58.218.211.94 port 34795:11:  [preauth]
Jan 26 10:03:56  sshd[2070]: Disconnected from 58.218.211.94 port 34795 [preauth]
Jan 26 10:03:56  sshd[2070]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.211.94  user=root


What to do with it?
#2
@tukai try change port of SSH is safe. and use the anti-ddos like U2BAN (maybe)
[Image: generate.php?top1=RIP+VPS+7&top2=ZxPlay+...ZxHost&sp=]
[Image: img.php?userid=13419]
#3
Changing SSH port may be enough to block these bots,Do it immediately, and follow the recommendations listed on
https://freevps.us/thread-4125.html
Show support by wearing an Avatar or Signature or Custom Rank if you think freevps.us should not be closed.
Code:
[IMG]http://i65.tinypic.com/15z1afs.jpg[/IMG]
#SaveFreeVPS for the future
#4
Yeah I am thinking to change the ssh ports. Thanks. I am also thinking to use the u2ban.
#5
i also got similar brute forcing attacks from the same ip .
Fly
#6
This forum has tons of topics regarding the very same subject but no one seems to bother to look them up.

Here is one with a lot of solutions:
- https://freevps.us/thread-19477.html
#7
That's popular nowadays, almost everyone gets bruteforce attacks, I once had 9000+ failed login attempts on my root account from different IP addresses, if you wish to secure your VPSs against such attacks, consider doing the following steps:

1. Disable root user.
- This is the best solution since the attackers usually target the root user.

2. Use unusual usernames.
- Do not use usernames like admin or other popular words.

3. Use SSH key based authentication.
- That's actually better than password authentication, more secure as well.

4. Install fail2ban.
- This also works (but I haven't really bothered installing it, I don't have past experience with it neither.)

5. Change your SSH port
- Not really necessary as it might be ineffective if someone did a port scan on your IP.

6. Use complicated passwords.
- Try to use high length passwords that contains letters, numbers and symbols (example: ijEYz97E1nA!p%6)

7. Run only trustworthy scripts/programs as sudo.
- Sudo means run as super user/root. Running untrustworthy scripts/programs may harm your system so make sure that it's trusted before running it as super user.
#8
As Jayce said you must install Fail2ban and allow only your own IP address to connect to your VPS. If have a dynamic IP address then choose a VPN server with fix IP and connect over it.
#9
Well this will be a difficult one because my VPS also changes IP by time, which is a pain . So there is some problem with fail2ban. Well others disabling root user will be a good things.
#10
There will always be bots trying to enter your server. Normally when i deploy a new vps with a new ip, it just takes some minutes for me to see bots trying to access it.
Just use fail2ban to ban those ip's and you are safe.




Users browsing this thread: 1 Guest(s)