Unrecognized SSH access on server?
I'm running a basic Ubuntu server from Digital Ocean, which I use an SSH key (stored on my Desktop) to access.
I've just run netstat -ap
with the following result:
Local Address Foreign Address State PID
XX.XXX.XX.192 183.214.141.105:53929 ESTABLISHED 25193/sshd: root [p
This isn't me, I've searched the IP and it's under a number of banned lists and originates from China.
My Questions:
1) As the state is 'ESTABLISHED', does that mean they have access to my server via SSH? Or is this brute force attempts to gain entry?
2) How could my server of been compromised? I'm not aware brute force can work on SSH keys? Wouldn't they have to access my key on my Desktop?
1) Established only means that the connection is fully open and data can be transmitted. It doesn't necessarily mean that any data has been transmitted! It doesn't imply anything about layer 7, whether someone has authenticated to your system or not. You can check your system logs to learn if someone has authenticated successfully. (source)
2) Maybe. You are going to need to check your logs and see if someone has authenticated successfully. On Ubuntu, ssh logs can be found in /var/log/auth
https://unix.stackexchange.com/questions/127432/logging-ssh-access-attempts
Don't forget that you can bruteforce the passphrase of an ssh key.
On a side note, rebuilding a private key from a public one is technically currently impossible
https://security.stackexchange.com/questions/33238/brute-forcing-ssh-keys
I would recommend to use some two factor authentication with ssh and Fail2ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures