Is someone trying to hack into my server? What can I do?

A few weeks ago I posted a question here about some ssh issues I was having with an Ubuntu 12.04 box. Fast forward to today and I am trying to allow someone else access to the machine, but they keep getting password errors. I checkout out var/logs/auth.log for more info, and found this:

May 11 19:45:33 myserver sshd[9264]: Did not receive identification string from 211.110.xxx.x
May 11 19:45:38 myserver sshd[9267]: Did not receive identification string from 211.110.xxx.x
May 11 19:45:44 myserver sshd[9270]: Did not receive identification string from 211.110.xxx.x
May 11 19:45:49 myserver sshd[9274]: Did not receive identification string from 211.110.xxx.x

I have almost 10000 lines that all seem to say more or less the same thing (there are also 4 auth.log.gz files, which I'm assuming are more of the same?). Sometimes there is a random username attached to the request, input_userauth_request: invalid user bash [preauth]

I don't know much about servers, but it looks like someone is trying to gain access to mine.

Googled around for how to block an IP address in Ubuntu and ended up with this: iptables -A INPUT -s 211.110.xxx.x -j DROP, but after running that command and checking the logs, I'm still getting requests from this one IP every 5 seconds.

How can I find out more about what's going on and deal with these constant requests?


Solution 1:

From what you describe, it looks like an automated attack on your server. Most attacks are, unless the attacker knows you personally and is holding a grudge...

Anyway, you might want to look into denyhosts, which you can get from the usual repos. It can analyse repeated attempts and will block their IP address. You may still get something in your logs, but it will at least help mitigate any security concerns.

As for getting more information, I really wouldn't bother. Unless they're an amateur, they'll be using a remote server to do their dirty work which will tell you nothing about who they really are. Your best bet is to find the admin for the IP range (WHOIS is your friend here), and let them know that you're getting a lot of access attempts from that IP. They may be good enough to do something about it.

Solution 2:

You don't want to see this failed login attempts in your logs so you should filter this IP in the network.

If you have own router or hardware firewall (not the one on the server) use it to block this IP. You can also ask your internet provider to block it.

If the server is VPS then ask your VPS provider to block this IP. In most cases they will not reject your request for help, cause it costs them nothing.

Attacks from single IP can be easily mitigated compared to attack coming from many different IPs. To protect against distributed attack you need special service from network provider which you have to pay. On server level you can fight with Denyhosts or Fail2ban. Fail2ban protects not only ssh but other services. It uses a little more memory. Fail2ban use iptables to block IPs and DenyHosts use the file hosts.deny, both use logs to find malicious attempts. You can also configure iptables for rate limiting ssh attempts which does not rely on logs.