Tens of thousands of failed/denied SSH login attempts [closed]

ssh server log login lamp

Recently a few friends and I came up with an idea for an app. To facilitate the creation of it, we set up LAMP on an Ubuntu Server 12.04. This box is running from my home. We've set up 3 user accounts. I'm still pretty new to Linux, but I have a bit of experience from using Ubuntu on my own box.

Today I was playing around with SSH and looking at the logs (I need to learn how to read that information to know how the server is performing, right?) and I saw the strangest thing.

In /var/log/auth.log and /var/log/auth.log.1 I saw a bunch of failed login attempts for 'root' and a few usernames I'm not familiar with. I looked over them and for as far as I can see no user has been authenticated except for the actual users on the system. A lot of the IP-addresses listed seem to be from Russia.

As of now this server contains nothing but a vanilla Ubuntu Server with LAMP, but even so, with the following command:

sudo grep -i fail /var/log/auth.log | wc -l

I get 3412 as a result. This seems very excessive for a server that has been up since April 8th. It gets worse, because running the above command on auth.log.1 returns 23075 (!!!!) results.

It seems obvious that people are trying to break into the server. Not that it contains anything of value, but once we start making progress on the app we wouldn't want our intellectual property stolen.

Should I be worried? And what can I do about it?

EDIT:

I found some very useful information here and this allowed me to run a script that splits and sorts all the invalid passwords and invalid users that tried to log in. May come in handy to someone who ended up here through Google!


Solution 1:

This is happening a lot to me too. There are a lot of script kiddies trying brute force attacks against your SSH server.

My solution till now was to install DenyHosts, but seems that it will be not supported in 14.04; the next best solutions seems to be Fail2Ban. Links and more information in Package denyhosts in Ubuntu Trusty Tahr is deleted: temporary or forever?

In that answer, bodhi.zazen pointed to this highly recommended page: https://web.archive.org/web/20190828185822/http://bodhizazen.com/Tutorials/SSH_security

Related

Internal Monitor Not Detected Ubuntu 21.10 Acer Nitro 5
How to fix: “Partition does not start on physical sector boundary”
rsync can not delete .git/objects directory files
Can't log in - get Caps lock is on error - but Caps lock is not on
messed up sshd_config, so removed openssh-server, installed openssh-server, Not replacing deleted config file /etc/ssh/sshd_config
gphoto2: Could not claim the USB device
Weird screen when I attempt to boot Ubuntu from a usb hard drive
Difference between the two Flatpak backends available in apt for Plasma Discover? Is there a problem from Installing both?
Is it possible to prevent usrmerge package installation on systems upgraded from 18.04 LTS?
My computer won't update because of errors
Can someone help me install bluetooth firmware on my Ubuntu 16.04 laptop?
How to automatically detect username when setting file path for icon