Someone is trying to brute force SSH access to my server [duplicate]
By coincidence I looked at my servers ssh log (/var/log/auth.log) and I noticed that someone is constantly trying to gain access:
Sep 7 13:03:45 virt01 sshd[14674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.42 user=root
Sep 7 13:03:48 virt01 sshd[14674]: Failed password for root from 116.31.116.42 port 13423 ssh2
Sep 7 13:03:52 virt01 sshd[14674]: message repeated 2 times: [ Failed password for root from 116.31.116.42 port 13423 ssh2]
Sep 7 13:03:52 virt01 sshd[14674]: Received disconnect from 116.31.116.42: 11: [preauth]
This happens a few times every minute, and has been going on for a long time without me knowing about it.
Question Should I be concerned about this, if yes: What should I do about it?
Solution 1:
Unfortuntately, this is absolutely normal and something every SSH server experiences. Welcome to the internet.
As long as you properly secure your server (e.g. keep it updated, allow only key-based login, disable root SSH access), this shouldn't be a problem, but you can limit this even further with something like fail2ban
and other approaches like IP whitelisting, changing ports and stuff like that where possible and appropriate.
Solution 2:
- Block the IP using your firewall (iptables or whatever your service provides). Yes, they might change IPs, but make them do the work
- If you have an external firewall (i.e. AWS console lets you set access rules via a web page) consider limiting port 22 to JUST your IP. No need to fiddle with fail2ban in this case
- As mentioned in the comments, switch to key-based authentication and turn off password authentication
-
Disable root logins. Add this to
/etc/ssh/sshd_config
PermitRootLogin no
Just let them hammer away at root all they want. They'll never get in that way then.
Solution 3:
In addition to securing server as Sven points out, one of the best things to do (especially if ssh is therej ust for you, the admin) is just change sshd port away from default 22
.
Not only is it simple (especially when you put new port in your ~/.ssh/config
so you don't have to type it everytime) and it will stop 99% of those automated scans so you won't even see them, but it will also help somewhat even if some 0-day ssh vulnerability is discovered to give you more time, or you key is leaked etc.
Solution 4:
This pretty normal behavior. I get several thousand of those each day, and I assume even that is minuscule compared to what large companies face.
But do you need to worry?
- Have you installed
fail2ban
? - Have you disabled root ssh login?
- Have you blocked the user www-data from ssh login?
- (optional) Have you disabled password based login in favor of public key login?
- (optional) Have you changed the SSH Port from 22 to something else?
- (optional) Have you added a TOTP pam module for login?
If yes, then you don't need to worry. Those attacks are usually dictionary based attacks on common unix user names. For example, I frequently see those "users" try to login:
- root
- www-data
- test
- admin
I really recommend installing fail2ban
, as it will rate-limit any user trying to log in based on their ip, that alone should filter out most of the malicious traffic. Contrary to what others say, I am not a proponent of ip based blocking. That seems like a very coarse solution to a very fine problem. Also, those attackers usually control multiple ips, so even if you block several (or even several ip blocks), there is no guarantee you'll block them all. Fail2ban however is very flexible for those scenarios.