All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Some Chinese IPs keep probing my ssh port
My Dedispec server just suddenly went halt this morning, I contacted them and after a few hours got rebooted, I decided to investigate further, because it's quite rare for a Linux server halting itself down,
I ran sudo journalctl -b -1 -e , and this is what I got:
Apr 26 15:52:39 s123348 kernel: perf: interrupt took too long (6190 > 6170), lowering kernel.perf_event_max_sample_rate to 32250 Apr 26 15:54:00 s123348 sshd[620333]: Received disconnect from 116.252.87.31 port 46099:11: Bye Bye [preauth] Apr 26 15:54:00 s123348 sshd[620333]: Disconnected from authenticating user root 116.252.87.31 port 46099 [preauth] Apr 26 15:54:01 s123348 sshd[620353]: Received disconnect from 116.252.87.31 port 46192:11: Bye Bye [preauth] Apr 26 15:54:01 s123348 sshd[620353]: Disconnected from authenticating user root 116.252.87.31 port 46192 [preauth] Apr 26 15:54:03 s123348 sshd[620459]: Invalid user ubnt from 116.252.87.31 port 46245 Apr 26 15:54:03 s123348 sshd[620459]: Received disconnect from 116.252.87.31 port 46245:11: Bye Bye [preauth] Apr 26 15:54:03 s123348 sshd[620459]: Disconnected from invalid user ubnt 116.252.87.31 port 46245 [preauth] Apr 26 15:54:04 s123348 sshd[620463]: Received disconnect from 116.252.87.31 port 46281:11: Bye Bye [preauth] Apr 26 15:54:04 s123348 sshd[620463]: Disconnected from authenticating user root 116.252.87.31 port 46281 [preauth] Apr 26 15:54:06 s123348 sshd[620465]: Received disconnect from 116.252.87.31 port 46320:11: Bye Bye [preauth] Apr 26 15:54:06 s123348 sshd[620465]: Disconnected from authenticating user root 116.252.87.31 port 46320 [preauth] Apr 26 15:54:07 s123348 sshd[620467]: Received disconnect from 116.252.87.31 port 46419:11: Bye Bye [preauth] Apr 26 15:54:07 s123348 sshd[620467]: Disconnected from authenticating user root 116.252.87.31 port 46419 [preauth] Apr 26 15:54:09 s123348 sshd[620559]: Received disconnect from 116.252.87.31 port 46550:11: Bye Bye [preauth] Apr 26 15:54:09 s123348 sshd[620559]: Disconnected from authenticating user root 116.252.87.31 port 46550 [preauth] Apr 26 15:54:10 s123348 sshd[620561]: Received disconnect from 116.252.87.31 port 46629:11: Bye Bye [preauth] Apr 26 15:54:10 s123348 sshd[620561]: Disconnected from authenticating user root 116.252.87.31 port 46629 [preauth] Apr 26 15:54:12 s123348 sshd[620580]: Received disconnect from 116.252.87.31 port 46677:11: Bye Bye [preauth] Apr 26 15:54:12 s123348 sshd[620580]: Disconnected from authenticating user root 116.252.87.31 port 46677 [preauth] Apr 26 15:54:13 s123348 sshd[620645]: Received disconnect from 116.252.87.31 port 46724:11: Bye Bye [preauth] Apr 26 15:54:13 s123348 sshd[620645]: Disconnected from authenticating user root 116.252.87.31 port 46724 [preauth] Apr 26 15:54:15 s123348 sshd[620653]: Received disconnect from 116.252.87.31 port 46760:11: Bye Bye [preauth] Apr 26 15:54:15 s123348 sshd[620653]: Disconnected from authenticating user root 116.252.87.31 port 46760 [preauth] Apr 26 15:54:16 s123348 sshd[620655]: Received disconnect from 116.252.87.31 port 46811:11: Bye Bye [preauth] Apr 26 15:54:16 s123348 sshd[620655]: Disconnected from authenticating user root 116.252.87.31 port 46811 [preauth] Apr 26 15:54:19 s123348 sshd[620730]: Received disconnect from 116.252.87.31 port 46925:11: Bye Bye [preauth] Apr 26 15:54:19 s123348 sshd[620730]: Disconnected from authenticating user root 116.252.87.31 port 46925 [preauth] Apr 26 15:54:21 s123348 sshd[620749]: Received disconnect from 116.252.87.31 port 47120:11: Bye Bye [preauth] Apr 26 15:54:21 s123348 sshd[620749]: Disconnected from authenticating user root 116.252.87.31 port 47120 [preauth] Apr 26 15:54:22 s123348 sshd[620759]: Received disconnect from 116.252.87.31 port 47166:11: Bye Bye [preauth] Apr 26 15:54:22 s123348 sshd[620759]: Disconnected from authenticating user root 116.252.87.31 port 47166 [preauth] Apr 26 15:54:25 s123348 sshd[620822]: Received disconnect from 116.252.87.31 port 47205:11: Bye Bye [preauth] Apr 26 15:54:25 s123348 sshd[620822]: Disconnected from authenticating user root 116.252.87.31 port 47205 [preauth] Apr 26 15:54:26 s123348 sshd[620824]: Received disconnect from 116.252.87.31 port 47280:11: Bye Bye [preauth] Apr 26 15:54:26 s123348 sshd[620824]: Disconnected from authenticating user root 116.252.87.31 port 47280 [preauth] Apr 26 15:54:28 s123348 sshd[620826]: Received disconnect from 116.252.87.31 port 47391:11: Bye Bye [preauth]
Quite interestingly, I saw you guys saying, most of the abusers came from DO, Linode, or cloud providers, but this seems to come from CHINANET Guangxi with a residential IP, which is quite rare?
so what I should do next?
so far I've set up: log in with keys only, only allow my IP and my VPS to login. And I missing something else?
I was also considering reporting abuse, but since it's not a provider or hosting, I have no idea how to do it
Thanks
Comments
Power off your box and no one will be able to connect
What!? No way!
I get these too, changed ssh port and set up a honeypot on port 22
Install fail2ban (or whatever the modern version of it is, haven't used it in 10 years)
Change port, only allow ssh keys
Still fail2ban, still good advice.
Personally I always firewall off 22 so only specific IP addresses can connect.
Quite curious is, that he didn't tried port 22 at all.
hate it when that happens
That is also what I do now, since I am more familiar with ufw than iptables, it seems I did something mistake, that it didn't apply to iptables, fixed now.
Use port 4454 or 18394 or 42069 or 65530. Never got probed.
I see a lot of SSH probing coming from Chinese residential ISPs such as ChinaNet, so for me it isn’t quite rare, rather to be expected.
Send complaints to the North Pole and they'll end up on the naughty list.
Security by obscurity is not really security. As has been said, Fail2Ban plus a properly configured firewall are the best options here.
Entirely disabling password authentication in
sshd_config
will disconnect every connection without public key and thus avoid any password login attempts.You can also lower the log level if you do not want to see any non-critical errors.
Fail2Ban never worked for me, no. 1
No. 2, I access my server from literally all around the world
No. 3, too scary to give public key to others, too lazy to change it afterwards
No. 4, the heck they are gonna do anyways? Set the MaxAuthTries to 2 or 3 and LoginGraceTime to 15 and stop root login and use non-generic usernames.
Today must be a day that ends in, "y".
What? It's a public key.
Today is April. Checkmate.
1.What do you mean Fail2Ban never worked for you?
2. Run your own VPN servers (minimum 2) so you have a fixed IP you can access remotely first.
3. Why are you scared of giving out a public key?
4. Overwhelm your server resources by hitting it with so many login attempts that you run out of disk space for the logs or exhaust RAM/CPU.
i just dont like sharing keys to people
Just change SSH port to 1989 and you will never get any bruteforce from China.
If you can’t setup Fail2Ban, I’m not really sure what I can say. Good luck on the internet.
Yes that's a great ideia 👍
Look into "port knocking"
Some people shouldn't be let loose on a VPS/server.
Looks like the abusive IP is
116.252.87.31
. It's an open proxy, possibly a compromised device.I do my best, I believe no body wants/intended to do so.