Tens of thousands of failed/denied SSH login attempts [closed]
Recently a few friends and I came up with an idea for an app. To facilitate the creation of it, we set up LAMP on an Ubuntu Server 12.04. This box is running from my home. We've set up 3 user accounts. I'm still pretty new to Linux, but I have a bit of experience from using Ubuntu on my own box.
Today I was playing around with SSH and looking at the logs (I need to learn how to read that information to know how the server is performing, right?) and I saw the strangest thing.
In /var/log/auth.log and /var/log/auth.log.1 I saw a bunch of failed login attempts for 'root' and a few usernames I'm not familiar with. I looked over them and for as far as I can see no user has been authenticated except for the actual users on the system. A lot of the IP-addresses listed seem to be from Russia.
As of now this server contains nothing but a vanilla Ubuntu Server with LAMP, but even so, with the following command:
sudo grep -i fail /var/log/auth.log | wc -l
I get 3412 as a result. This seems very excessive for a server that has been up since April 8th. It gets worse, because running the above command on auth.log.1 returns 23075 (!!!!) results.
It seems obvious that people are trying to break into the server. Not that it contains anything of value, but once we start making progress on the app we wouldn't want our intellectual property stolen.
Should I be worried? And what can I do about it?
EDIT:
I found some very useful information here and this allowed me to run a script that splits and sorts all the invalid passwords and invalid users that tried to log in. May come in handy to someone who ended up here through Google!
Solution 1:
This is happening a lot to me too. There are a lot of script kiddies trying brute force attacks against your SSH server.
My solution till now was to install DenyHosts, but seems that it will be not supported in 14.04; the next best solutions seems to be Fail2Ban. Links and more information in Package denyhosts in Ubuntu Trusty Tahr is deleted: temporary or forever?
In that answer, bodhi.zazen pointed to this highly recommended page: https://web.archive.org/web/20190828185822/http://bodhizazen.com/Tutorials/SSH_security