Some Chinese IPs keep probing my ssh port

CheepCluck

@dahartigan said:

@turdski said:

@jason5545 said:

@cochon said:

@jason5545 said:
My Dedispec server just suddenly went halt this morning, I contacted them and after a few hours got rebooted, I decided to investigate further, because it's quite rare for a Linux server halting itself down

Your logs look around 1 SSH attempt a second, seems doubtful this alone would be the cause of the server outage, more likely you've just spotted this for the first time because you were looking more intently.

Yeah, my intention was to check for any possible cause related to the hardware, then I saw this.

so far I've set up: log in with keys only...

If you've taken this step, unless it's filling the disk or chewing up CPU, seems best to just ignore it as background noise.

As of now, it's fine, no affect to the system yet.

So the conclusion is:
Getting probed by Chinese people once a second has zero effect on your backend.

Like throwing a sausage up a hallway.

Who throws a sausage into a hallway? that just seems reckless

szymonp

@turdski said:

@jason5545 said:

@cochon said:

@jason5545 said:
My Dedispec server just suddenly went halt this morning, I contacted them and after a few hours got rebooted, I decided to investigate further, because it's quite rare for a Linux server halting itself down

Your logs look around 1 SSH attempt a second, seems doubtful this alone would be the cause of the server outage, more likely you've just spotted this for the first time because you were looking more intently.

Yeah, my intention was to check for any possible cause related to the hardware, then I saw this.

so far I've set up: log in with keys only...

If you've taken this step, unless it's filling the disk or chewing up CPU, seems best to just ignore it as background noise.

As of now, it's fine, no affect to the system yet.

So the conclusion is:
Getting probed by Chinese people once a second has zero effect on your backend.

Yeah I got 35 megabytes worth of logfile entries and no issues lol

MeAtExampleDotCom

@jason5545 said:

@szymonp said:
I get these too, changed ssh port and set up a honeypot on port 22

Quite curious is, that he didn't tried port 22 at all.

I think he did. Are those port numbers in the log not the client end's port rather than the server end's?

Unless you have something listening on all those ports the entries would not have been logged there (they might have been logged as a rejected in firewall logs), no connection would have been possible even that far.

szymonp

@MeAtExampleDotCom said: Are those port numbers in the log not the client end's port rather than the server end's?

yes it's from client connecting it's the port assigned by the routers NAT for connection, not on server

TimboJones

@DanSummer said:

@Otus9051 said: No. 3, too scary to give public key to others, too lazy to change it afterwards

is there some security issue with giving public key that I don't know? Please explain. It's a public key and it doesn't work without the private key pair.

PEBKAC, also, he's 13 and not willing to read/learn.

TimboJones

@Ruripapi said:
guanxi lol prob cantonese and low income (not being racist cause im chinese )

That's not how that works.

7cloud

@jason5545 said:
My Dedispec server just suddenly went halt this morning, I contacted them and after a few hours got rebooted, I decided to investigate further, because it's quite rare for a Linux server halting itself down,
I ran sudo journalctl -b -1 -e , and this is what I got:
Apr 26 15:52:39 s123348 kernel: perf: interrupt took too long (6190 > 6170), lowering kernel.perf_event_max_sample_rate to 32250 Apr 26 15:54:00 s123348 sshd[620333]: Received disconnect from 116.252.87.31 port 46099:11: Bye Bye [preauth] Apr 26 15:54:00 s123348 sshd[620333]: Disconnected from authenticating user root 116.252.87.31 port 46099 [preauth] Apr 26 15:54:01 s123348 sshd[620353]: Received disconnect from 116.252.87.31 port 46192:11: Bye Bye [preauth] Apr 26 15:54:01 s123348 sshd[620353]: Disconnected from authenticating user root 116.252.87.31 port 46192 [preauth] Apr 26 15:54:03 s123348 sshd[620459]: Invalid user ubnt from 116.252.87.31 port 46245 Apr 26 15:54:03 s123348 sshd[620459]: Received disconnect from 116.252.87.31 port 46245:11: Bye Bye [preauth] Apr 26 15:54:03 s123348 sshd[620459]: Disconnected from invalid user ubnt 116.252.87.31 port 46245 [preauth] Apr 26 15:54:04 s123348 sshd[620463]: Received disconnect from 116.252.87.31 port 46281:11: Bye Bye [preauth] Apr 26 15:54:04 s123348 sshd[620463]: Disconnected from authenticating user root 116.252.87.31 port 46281 [preauth] Apr 26 15:54:06 s123348 sshd[620465]: Received disconnect from 116.252.87.31 port 46320:11: Bye Bye [preauth] Apr 26 15:54:06 s123348 sshd[620465]: Disconnected from authenticating user root 116.252.87.31 port 46320 [preauth] Apr 26 15:54:07 s123348 sshd[620467]: Received disconnect from 116.252.87.31 port 46419:11: Bye Bye [preauth] Apr 26 15:54:07 s123348 sshd[620467]: Disconnected from authenticating user root 116.252.87.31 port 46419 [preauth] Apr 26 15:54:09 s123348 sshd[620559]: Received disconnect from 116.252.87.31 port 46550:11: Bye Bye [preauth] Apr 26 15:54:09 s123348 sshd[620559]: Disconnected from authenticating user root 116.252.87.31 port 46550 [preauth] Apr 26 15:54:10 s123348 sshd[620561]: Received disconnect from 116.252.87.31 port 46629:11: Bye Bye [preauth] Apr 26 15:54:10 s123348 sshd[620561]: Disconnected from authenticating user root 116.252.87.31 port 46629 [preauth] Apr 26 15:54:12 s123348 sshd[620580]: Received disconnect from 116.252.87.31 port 46677:11: Bye Bye [preauth] Apr 26 15:54:12 s123348 sshd[620580]: Disconnected from authenticating user root 116.252.87.31 port 46677 [preauth] Apr 26 15:54:13 s123348 sshd[620645]: Received disconnect from 116.252.87.31 port 46724:11: Bye Bye [preauth] Apr 26 15:54:13 s123348 sshd[620645]: Disconnected from authenticating user root 116.252.87.31 port 46724 [preauth] Apr 26 15:54:15 s123348 sshd[620653]: Received disconnect from 116.252.87.31 port 46760:11: Bye Bye [preauth] Apr 26 15:54:15 s123348 sshd[620653]: Disconnected from authenticating user root 116.252.87.31 port 46760 [preauth] Apr 26 15:54:16 s123348 sshd[620655]: Received disconnect from 116.252.87.31 port 46811:11: Bye Bye [preauth] Apr 26 15:54:16 s123348 sshd[620655]: Disconnected from authenticating user root 116.252.87.31 port 46811 [preauth] Apr 26 15:54:19 s123348 sshd[620730]: Received disconnect from 116.252.87.31 port 46925:11: Bye Bye [preauth] Apr 26 15:54:19 s123348 sshd[620730]: Disconnected from authenticating user root 116.252.87.31 port 46925 [preauth] Apr 26 15:54:21 s123348 sshd[620749]: Received disconnect from 116.252.87.31 port 47120:11: Bye Bye [preauth] Apr 26 15:54:21 s123348 sshd[620749]: Disconnected from authenticating user root 116.252.87.31 port 47120 [preauth] Apr 26 15:54:22 s123348 sshd[620759]: Received disconnect from 116.252.87.31 port 47166:11: Bye Bye [preauth] Apr 26 15:54:22 s123348 sshd[620759]: Disconnected from authenticating user root 116.252.87.31 port 47166 [preauth] Apr 26 15:54:25 s123348 sshd[620822]: Received disconnect from 116.252.87.31 port 47205:11: Bye Bye [preauth] Apr 26 15:54:25 s123348 sshd[620822]: Disconnected from authenticating user root 116.252.87.31 port 47205 [preauth] Apr 26 15:54:26 s123348 sshd[620824]: Received disconnect from 116.252.87.31 port 47280:11: Bye Bye [preauth] Apr 26 15:54:26 s123348 sshd[620824]: Disconnected from authenticating user root 116.252.87.31 port 47280 [preauth] Apr 26 15:54:28 s123348 sshd[620826]: Received disconnect from 116.252.87.31 port 47391:11: Bye Bye [preauth]
Quite interestingly, I saw you guys saying, most of the abusers came from DO, Linode, or cloud providers, but this seems to come from CHINANET Guangxi with a residential IP, which is quite rare?
so what I should do next?
so far I've set up: log in with keys only, only allow my IP and my VPS to login. And I missing something else?
I was also considering reporting abuse, but since it's not a provider or hosting, I have no idea how to do it
Thanks

How could you ensure this is the chinese people do. Only by the IP ? Do you know hacker can hack with proxy?

You are a pig! Fuck you!

jason5545

@Not_Oles please help to see if change the title or the contents is necessary, if you find inappropriate in someway, then please kindly modify it. Thanks @FAT32 @raindog308

Not_Oles

@jason5545 said: please help to see if change the title or the contents is necessary

Maybe the word "people" in the title could have been written as "IPs?"

@7cloud said: You are a pig! Fuck you!

Maybe there also could have been different language used here?

Thanks to both @jason5545 and @7cloud for supporting Low End Talk! Thanks to all the LET members who have made helpful comments in this thread! ♒︎

Friendly greetings from Sonora! 🌎🌍

DanSummer

@Peppery9 said:

@DanSummer said:

@Otus9051 said: No. 3, too scary to give public key to others, too lazy to change it afterwards

is there some security issue with giving public key that I don't know? Please explain. It's a public key and it doesn't work without the private key pair.

There is no issue with handing out your public key - the clue is in the name

@TimboJones said:

@DanSummer said:

@Otus9051 said: No. 3, too scary to give public key to others, too lazy to change it afterwards

is there some security issue with giving public key that I don't know? Please explain. It's a public key and it doesn't work without the private key pair.

PEBKAC, also, he's 13 and not willing to read/learn.

That explains a lot!

jason5545

@Not_Oles said:

@jason5545 said: please help to see if change the title or the contents is necessary

Maybe the word "people" in the title could have been written as "IPs?"

@7cloud said: You are a pig! Fuck you!

Maybe there also could have been different language used here?

Thanks to both @jason5545 and @7cloud for supporting Low End Talk! Thanks to all the LET members who have made helpful comments in this thread! ♒︎

Friendly greetings from Sonora! 🌎🌍

Please change it, appreciate the help.

Not_Oles

@jason5545 said: Please change it, appreciate the help.

I attempted to change "people" to "IPs" in the title, but apparently it might not have worked. Looks like we need to wait until a cache expires or maybe until someone with higher privileges than me arrives to help.

Jason, please do not be concerned. All of us who know you realize you never would be deliberately unkind.

Best wishes and kindest regards!

Tom

jason5545

@Not_Oles said:

@jason5545 said: Please change it, appreciate the help.

I attempted to change "people" to "IPs" in the title, but apparently it might not have worked. Looks like we need to wait until a cache expires or maybe until someone with higher privileges than me arrives to help.

Jason, please do not be concerned. All of us who know you realize you never would be deliberately unkind.

Best wishes and kindest regards!

Tom

No worries, maybe it's just a cloudflare cache thing.

Not_Oles

@Not_Oles said: I attempted to change "people" to "IPs" in the title, but apparently it might not have worked. Looks like we need to wait until a cache expires or maybe until someone with higher privileges than me arrives to help.

I tried a second time. This time it seems to have worked.