Is my server under attack?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Yesterday I created an Ubuntu 18.04 droplet, with a MongoDB v4.0.2 image at DigitalOcean and today I checked the /var/log/auth.log file... What I saw is this:



Oct 1 16:16:25 mongodb-server-1 sshd[9171]: Failed password for root from 116.31.116.16 port 61535 ssh2
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 61535 ssh2]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Received disconnect from 116.31.116.16 port 61535:11: [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Disconnected from authenticating user root 116.31.116.16 port 61535 [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session closed for user root
Oct 1 16:17:34 mongodb-server-1 sshd[9176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:36 mongodb-server-1 sshd[9176]: Failed password for root from 116.31.116.16 port 60613 ssh2
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 60613 ssh2]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Received disconnect from 116.31.116.16 port 60613:11: [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Disconnected from authenticating user root 116.31.116.16 port 60613 [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:43 mongodb-server-1 sshd[9178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:45 mongodb-server-1 sshd[9178]: Failed password for root from 116.31.116.16 port 30163 ssh2
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 30163 ssh2]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Received disconnect from 116.31.116.16 port 30163:11: [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Disconnected from authenticating user root 116.31.116.16 port 30163 [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:50 mongodb-server-1 sshd[9183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:53 mongodb-server-1 sshd[9183]: Failed password for root from 116.31.116.16 port 55398 ssh2
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 55398 ssh2]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Received disconnect from 116.31.116.16 port 55398:11: [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Disconnected from authenticating user root 116.31.116.16 port 55398 [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:57 mongodb-server-1 sshd[9186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:59 mongodb-server-1 sshd[9186]: Failed password for root from 116.31.116.16 port 24942 ssh2
Oct 1 16:21:04 mongodb-server-1 sshd[9186]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 24942 ssh2]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Received disconnect from 116.31.116.16 port 24942:11: [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Disconnected from authenticating user root 116.31.116.16 port 24942 [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:15 mongodb-server-1 sshd[9188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:18 mongodb-server-1 sshd[9188]: Failed password for root from 116.31.116.16 port 17758 ssh2
Oct 1 16:22:22 mongodb-server-1 sshd[9188]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17758 ssh2]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Received disconnect from 116.31.116.16 port 17758:11: [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Disconnected from authenticating user root 116.31.116.16 port 17758 [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:15 mongodb-server-1 sshd[9190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:17 mongodb-server-1 sshd[9190]: Failed password for root from 116.31.116.16 port 17471 ssh2
Oct 1 16:23:21 mongodb-server-1 sshd[9190]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17471 ssh2]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Received disconnect from 116.31.116.16 port 17471:11: [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Disconnected from authenticating user root 116.31.116.16 port 17471 [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:19 mongodb-server-1 sshd[9209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:20 mongodb-server-1 sshd[9209]: Failed password for root from 116.31.116.16 port 37695 ssh2
Oct 1 16:24:25 mongodb-server-1 sshd[9209]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 37695 ssh2]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Received disconnect from 116.31.116.16 port 37695:11: [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Disconnected from authenticating user root 116.31.116.16 port 37695 [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:26 mongodb-server-1 sshd[9214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:27 mongodb-server-1 sshd[9214]: Failed password for root from 116.31.116.16 port 17403 ssh2
Oct 1 16:25:31 mongodb-server-1 sshd[9214]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17403 ssh2]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Received disconnect from 116.31.116.16 port 17403:11: [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Disconnected from authenticating user root 116.31.116.16 port 17403 [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root

Oct 1 16:26:25 mongodb-server-1 sshd[9367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:26:27 mongodb-server-1 sshd[9367]: Failed password for root from 116.31.116.16 port 42236 ssh2
Oct 1 16:26:31 mongodb-server-1 sshd[9367]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 42236 ssh2]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Received disconnect from 116.31.116.16 port 42236:11: [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Disconnected from authenticating user root 116.31.116.16 port 42236 [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root


Thousands of connection attempts logs! And it's still going!



I'm the only one with access to the server and the only port I've left open, is 22!



What's happening?






server security







share|improve this question





















  • This may be a question better suited for the IT security stack exchange. Firstly though, I'd investigate that 116.36.116.16 IP and see what you can find on it, see if anyone else has complained about it or if it's from somewhere you'd absolutely never expect a connection from, hope this helps.
    – tommy61157
    2 hours ago










  • I have almost no knowledge of security! How can I search for it?
    – Sotiris Kaniras
    2 hours ago











  • security.stackexchange.com/q/180321
    – jdv
    2 hours ago










  • @jdv So it's something the system does?
    – Sotiris Kaniras
    2 hours ago






  • 2




    Possible duplicate of Is someone trying to hack into my server? What can I do?
    – luk3yx
    1 hour ago














up vote
1
down vote

favorite












Yesterday I created an Ubuntu 18.04 droplet, with a MongoDB v4.0.2 image at DigitalOcean and today I checked the /var/log/auth.log file... What I saw is this:



Oct 1 16:16:25 mongodb-server-1 sshd[9171]: Failed password for root from 116.31.116.16 port 61535 ssh2
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 61535 ssh2]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Received disconnect from 116.31.116.16 port 61535:11: [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Disconnected from authenticating user root 116.31.116.16 port 61535 [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session closed for user root
Oct 1 16:17:34 mongodb-server-1 sshd[9176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:36 mongodb-server-1 sshd[9176]: Failed password for root from 116.31.116.16 port 60613 ssh2
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 60613 ssh2]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Received disconnect from 116.31.116.16 port 60613:11: [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Disconnected from authenticating user root 116.31.116.16 port 60613 [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:43 mongodb-server-1 sshd[9178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:45 mongodb-server-1 sshd[9178]: Failed password for root from 116.31.116.16 port 30163 ssh2
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 30163 ssh2]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Received disconnect from 116.31.116.16 port 30163:11: [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Disconnected from authenticating user root 116.31.116.16 port 30163 [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:50 mongodb-server-1 sshd[9183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:53 mongodb-server-1 sshd[9183]: Failed password for root from 116.31.116.16 port 55398 ssh2
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 55398 ssh2]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Received disconnect from 116.31.116.16 port 55398:11: [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Disconnected from authenticating user root 116.31.116.16 port 55398 [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:57 mongodb-server-1 sshd[9186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:59 mongodb-server-1 sshd[9186]: Failed password for root from 116.31.116.16 port 24942 ssh2
Oct 1 16:21:04 mongodb-server-1 sshd[9186]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 24942 ssh2]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Received disconnect from 116.31.116.16 port 24942:11: [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Disconnected from authenticating user root 116.31.116.16 port 24942 [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:15 mongodb-server-1 sshd[9188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:18 mongodb-server-1 sshd[9188]: Failed password for root from 116.31.116.16 port 17758 ssh2
Oct 1 16:22:22 mongodb-server-1 sshd[9188]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17758 ssh2]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Received disconnect from 116.31.116.16 port 17758:11: [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Disconnected from authenticating user root 116.31.116.16 port 17758 [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:15 mongodb-server-1 sshd[9190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:17 mongodb-server-1 sshd[9190]: Failed password for root from 116.31.116.16 port 17471 ssh2
Oct 1 16:23:21 mongodb-server-1 sshd[9190]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17471 ssh2]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Received disconnect from 116.31.116.16 port 17471:11: [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Disconnected from authenticating user root 116.31.116.16 port 17471 [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:19 mongodb-server-1 sshd[9209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:20 mongodb-server-1 sshd[9209]: Failed password for root from 116.31.116.16 port 37695 ssh2
Oct 1 16:24:25 mongodb-server-1 sshd[9209]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 37695 ssh2]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Received disconnect from 116.31.116.16 port 37695:11: [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Disconnected from authenticating user root 116.31.116.16 port 37695 [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:26 mongodb-server-1 sshd[9214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:27 mongodb-server-1 sshd[9214]: Failed password for root from 116.31.116.16 port 17403 ssh2
Oct 1 16:25:31 mongodb-server-1 sshd[9214]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17403 ssh2]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Received disconnect from 116.31.116.16 port 17403:11: [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Disconnected from authenticating user root 116.31.116.16 port 17403 [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root

Oct 1 16:26:25 mongodb-server-1 sshd[9367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:26:27 mongodb-server-1 sshd[9367]: Failed password for root from 116.31.116.16 port 42236 ssh2
Oct 1 16:26:31 mongodb-server-1 sshd[9367]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 42236 ssh2]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Received disconnect from 116.31.116.16 port 42236:11: [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Disconnected from authenticating user root 116.31.116.16 port 42236 [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root


Thousands of connection attempts logs! And it's still going!



I'm the only one with access to the server and the only port I've left open, is 22!



What's happening?






server security







share|improve this question





















  • This may be a question better suited for the IT security stack exchange. Firstly though, I'd investigate that 116.36.116.16 IP and see what you can find on it, see if anyone else has complained about it or if it's from somewhere you'd absolutely never expect a connection from, hope this helps.
    – tommy61157
    2 hours ago










  • I have almost no knowledge of security! How can I search for it?
    – Sotiris Kaniras
    2 hours ago











  • security.stackexchange.com/q/180321
    – jdv
    2 hours ago










  • @jdv So it's something the system does?
    – Sotiris Kaniras
    2 hours ago






  • 2




    Possible duplicate of Is someone trying to hack into my server? What can I do?
    – luk3yx
    1 hour ago












up vote
1
down vote

favorite









up vote
1
down vote

favorite











Yesterday I created an Ubuntu 18.04 droplet, with a MongoDB v4.0.2 image at DigitalOcean and today I checked the /var/log/auth.log file... What I saw is this:



Oct 1 16:16:25 mongodb-server-1 sshd[9171]: Failed password for root from 116.31.116.16 port 61535 ssh2
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 61535 ssh2]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Received disconnect from 116.31.116.16 port 61535:11: [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Disconnected from authenticating user root 116.31.116.16 port 61535 [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session closed for user root
Oct 1 16:17:34 mongodb-server-1 sshd[9176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:36 mongodb-server-1 sshd[9176]: Failed password for root from 116.31.116.16 port 60613 ssh2
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 60613 ssh2]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Received disconnect from 116.31.116.16 port 60613:11: [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Disconnected from authenticating user root 116.31.116.16 port 60613 [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:43 mongodb-server-1 sshd[9178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:45 mongodb-server-1 sshd[9178]: Failed password for root from 116.31.116.16 port 30163 ssh2
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 30163 ssh2]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Received disconnect from 116.31.116.16 port 30163:11: [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Disconnected from authenticating user root 116.31.116.16 port 30163 [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:50 mongodb-server-1 sshd[9183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:53 mongodb-server-1 sshd[9183]: Failed password for root from 116.31.116.16 port 55398 ssh2
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 55398 ssh2]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Received disconnect from 116.31.116.16 port 55398:11: [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Disconnected from authenticating user root 116.31.116.16 port 55398 [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:57 mongodb-server-1 sshd[9186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:59 mongodb-server-1 sshd[9186]: Failed password for root from 116.31.116.16 port 24942 ssh2
Oct 1 16:21:04 mongodb-server-1 sshd[9186]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 24942 ssh2]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Received disconnect from 116.31.116.16 port 24942:11: [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Disconnected from authenticating user root 116.31.116.16 port 24942 [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:15 mongodb-server-1 sshd[9188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:18 mongodb-server-1 sshd[9188]: Failed password for root from 116.31.116.16 port 17758 ssh2
Oct 1 16:22:22 mongodb-server-1 sshd[9188]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17758 ssh2]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Received disconnect from 116.31.116.16 port 17758:11: [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Disconnected from authenticating user root 116.31.116.16 port 17758 [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:15 mongodb-server-1 sshd[9190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:17 mongodb-server-1 sshd[9190]: Failed password for root from 116.31.116.16 port 17471 ssh2
Oct 1 16:23:21 mongodb-server-1 sshd[9190]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17471 ssh2]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Received disconnect from 116.31.116.16 port 17471:11: [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Disconnected from authenticating user root 116.31.116.16 port 17471 [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:19 mongodb-server-1 sshd[9209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:20 mongodb-server-1 sshd[9209]: Failed password for root from 116.31.116.16 port 37695 ssh2
Oct 1 16:24:25 mongodb-server-1 sshd[9209]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 37695 ssh2]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Received disconnect from 116.31.116.16 port 37695:11: [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Disconnected from authenticating user root 116.31.116.16 port 37695 [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:26 mongodb-server-1 sshd[9214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:27 mongodb-server-1 sshd[9214]: Failed password for root from 116.31.116.16 port 17403 ssh2
Oct 1 16:25:31 mongodb-server-1 sshd[9214]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17403 ssh2]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Received disconnect from 116.31.116.16 port 17403:11: [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Disconnected from authenticating user root 116.31.116.16 port 17403 [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root

Oct 1 16:26:25 mongodb-server-1 sshd[9367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:26:27 mongodb-server-1 sshd[9367]: Failed password for root from 116.31.116.16 port 42236 ssh2
Oct 1 16:26:31 mongodb-server-1 sshd[9367]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 42236 ssh2]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Received disconnect from 116.31.116.16 port 42236:11: [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Disconnected from authenticating user root 116.31.116.16 port 42236 [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root


Thousands of connection attempts logs! And it's still going!



I'm the only one with access to the server and the only port I've left open, is 22!



What's happening?






server security







share|improve this question













Yesterday I created an Ubuntu 18.04 droplet, with a MongoDB v4.0.2 image at DigitalOcean and today I checked the /var/log/auth.log file... What I saw is this:



Oct 1 16:16:25 mongodb-server-1 sshd[9171]: Failed password for root from 116.31.116.16 port 61535 ssh2
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 61535 ssh2]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Received disconnect from 116.31.116.16 port 61535:11: [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Disconnected from authenticating user root 116.31.116.16 port 61535 [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session closed for user root
Oct 1 16:17:34 mongodb-server-1 sshd[9176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:36 mongodb-server-1 sshd[9176]: Failed password for root from 116.31.116.16 port 60613 ssh2
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 60613 ssh2]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Received disconnect from 116.31.116.16 port 60613:11: [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Disconnected from authenticating user root 116.31.116.16 port 60613 [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:43 mongodb-server-1 sshd[9178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:45 mongodb-server-1 sshd[9178]: Failed password for root from 116.31.116.16 port 30163 ssh2
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 30163 ssh2]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Received disconnect from 116.31.116.16 port 30163:11: [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Disconnected from authenticating user root 116.31.116.16 port 30163 [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:50 mongodb-server-1 sshd[9183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:53 mongodb-server-1 sshd[9183]: Failed password for root from 116.31.116.16 port 55398 ssh2
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 55398 ssh2]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Received disconnect from 116.31.116.16 port 55398:11: [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Disconnected from authenticating user root 116.31.116.16 port 55398 [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:57 mongodb-server-1 sshd[9186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:59 mongodb-server-1 sshd[9186]: Failed password for root from 116.31.116.16 port 24942 ssh2
Oct 1 16:21:04 mongodb-server-1 sshd[9186]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 24942 ssh2]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Received disconnect from 116.31.116.16 port 24942:11: [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Disconnected from authenticating user root 116.31.116.16 port 24942 [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:15 mongodb-server-1 sshd[9188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:18 mongodb-server-1 sshd[9188]: Failed password for root from 116.31.116.16 port 17758 ssh2
Oct 1 16:22:22 mongodb-server-1 sshd[9188]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17758 ssh2]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Received disconnect from 116.31.116.16 port 17758:11: [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Disconnected from authenticating user root 116.31.116.16 port 17758 [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:15 mongodb-server-1 sshd[9190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:17 mongodb-server-1 sshd[9190]: Failed password for root from 116.31.116.16 port 17471 ssh2
Oct 1 16:23:21 mongodb-server-1 sshd[9190]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17471 ssh2]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Received disconnect from 116.31.116.16 port 17471:11: [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Disconnected from authenticating user root 116.31.116.16 port 17471 [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:19 mongodb-server-1 sshd[9209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:20 mongodb-server-1 sshd[9209]: Failed password for root from 116.31.116.16 port 37695 ssh2
Oct 1 16:24:25 mongodb-server-1 sshd[9209]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 37695 ssh2]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Received disconnect from 116.31.116.16 port 37695:11: [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Disconnected from authenticating user root 116.31.116.16 port 37695 [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:26 mongodb-server-1 sshd[9214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:27 mongodb-server-1 sshd[9214]: Failed password for root from 116.31.116.16 port 17403 ssh2
Oct 1 16:25:31 mongodb-server-1 sshd[9214]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17403 ssh2]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Received disconnect from 116.31.116.16 port 17403:11: [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Disconnected from authenticating user root 116.31.116.16 port 17403 [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root

Oct 1 16:26:25 mongodb-server-1 sshd[9367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:26:27 mongodb-server-1 sshd[9367]: Failed password for root from 116.31.116.16 port 42236 ssh2
Oct 1 16:26:31 mongodb-server-1 sshd[9367]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 42236 ssh2]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Received disconnect from 116.31.116.16 port 42236:11: [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Disconnected from authenticating user root 116.31.116.16 port 42236 [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root


Thousands of connection attempts logs! And it's still going!



I'm the only one with access to the server and the only port I've left open, is 22!



What's happening?






server security




server security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 2 hours ago









Sotiris Kaniras

61




61











  • This may be a question better suited for the IT security stack exchange. Firstly though, I'd investigate that 116.36.116.16 IP and see what you can find on it, see if anyone else has complained about it or if it's from somewhere you'd absolutely never expect a connection from, hope this helps.
    – tommy61157
    2 hours ago










  • I have almost no knowledge of security! How can I search for it?
    – Sotiris Kaniras
    2 hours ago











  • security.stackexchange.com/q/180321
    – jdv
    2 hours ago










  • @jdv So it's something the system does?
    – Sotiris Kaniras
    2 hours ago






  • 2




    Possible duplicate of Is someone trying to hack into my server? What can I do?
    – luk3yx
    1 hour ago
















  • This may be a question better suited for the IT security stack exchange. Firstly though, I'd investigate that 116.36.116.16 IP and see what you can find on it, see if anyone else has complained about it or if it's from somewhere you'd absolutely never expect a connection from, hope this helps.
    – tommy61157
    2 hours ago










  • I have almost no knowledge of security! How can I search for it?
    – Sotiris Kaniras
    2 hours ago











  • security.stackexchange.com/q/180321
    – jdv
    2 hours ago










  • @jdv So it's something the system does?
    – Sotiris Kaniras
    2 hours ago






  • 2




    Possible duplicate of Is someone trying to hack into my server? What can I do?
    – luk3yx
    1 hour ago















This may be a question better suited for the IT security stack exchange. Firstly though, I'd investigate that 116.36.116.16 IP and see what you can find on it, see if anyone else has complained about it or if it's from somewhere you'd absolutely never expect a connection from, hope this helps.
– tommy61157
2 hours ago




This may be a question better suited for the IT security stack exchange. Firstly though, I'd investigate that 116.36.116.16 IP and see what you can find on it, see if anyone else has complained about it or if it's from somewhere you'd absolutely never expect a connection from, hope this helps.
– tommy61157
2 hours ago












I have almost no knowledge of security! How can I search for it?
– Sotiris Kaniras
2 hours ago





I have almost no knowledge of security! How can I search for it?
– Sotiris Kaniras
2 hours ago













security.stackexchange.com/q/180321
– jdv
2 hours ago




security.stackexchange.com/q/180321
– jdv
2 hours ago












@jdv So it's something the system does?
– Sotiris Kaniras
2 hours ago




@jdv So it's something the system does?
– Sotiris Kaniras
2 hours ago




2




2




Possible duplicate of Is someone trying to hack into my server? What can I do?
– luk3yx
1 hour ago




Possible duplicate of Is someone trying to hack into my server? What can I do?
– luk3yx
1 hour ago










1 Answer
1






active

oldest

votes

















up vote
6
down vote













This specific traffic is from a Chinese-sourced IP address (basic info of the IP address on dnslytics.com) and it is attempting to login with password authentication to your root user over SSH.



There are major concerns when running any Internet-facing service:




  1. ALL IP addresses everywhere when they get online are probed.

  2. When some probes find open ports such as SSH ports, malicious threat actors will attempt to continue probes to see if they can get into your system with password attacks.

Both of these are a defacto standard of Internet-facing services. And as such, many of these threats are ongoing. However, this happens to many services - not just SSH.



These types of probes are unlikely to cease. This is why you should be careful when exposing services to the Internet.



Based on what I've seen in the past, and my knowledge of IT Security, as well as the first-hand knowledge I've gained thanks to running multiple Internet-facing services myself, this activity looks like typical service scanning and probing activity that happens to most systems that are directly facing the Internet. It does not mean your server is directly under attack. Merely, what has happened is a service scanner found your server responded on port 22, and is repeatedly coming back and attempting to authenticate with weak passwords in an attempt to breach the server. This is not uncommon to see on Internet-facing connections.



There are a few things you can do, however, to mitigate this a little bit more:




  1. Disable SSH login access for the root user directly.



    Edit /etc/ssh/sshd_config, find the line that says PermitRootLogin and make sure it's set to prohibit-password or no.



    Note that you will need to have a non-root user that you can login to if you do this; this way you protect the root user, and you have a non-root user who can have sudo access configured for them so they can still execute superuser commands as needed. (NEVER SSH as root for your admin functions and actions!)



  2. Disable password authentication, and set up SSH Key Authentication as the only viable SSH login mechanism. There are a lot of guides on how to do this, such as this one from Digital Ocean.


  3. Set up something like fail2ban to help block the brute force attempts. This is a process in and of itself, but you can get basic setup done by doing sudo apt install fail2ban. This will set itself up by default to be enabled to protect SSH connectivity.






share|improve this answer






















  • This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
    – Ian McGowan
    1 min ago










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1080056%2fis-my-server-under-attack%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
6
down vote













This specific traffic is from a Chinese-sourced IP address (basic info of the IP address on dnslytics.com) and it is attempting to login with password authentication to your root user over SSH.



There are major concerns when running any Internet-facing service:




  1. ALL IP addresses everywhere when they get online are probed.

  2. When some probes find open ports such as SSH ports, malicious threat actors will attempt to continue probes to see if they can get into your system with password attacks.

Both of these are a defacto standard of Internet-facing services. And as such, many of these threats are ongoing. However, this happens to many services - not just SSH.



These types of probes are unlikely to cease. This is why you should be careful when exposing services to the Internet.



Based on what I've seen in the past, and my knowledge of IT Security, as well as the first-hand knowledge I've gained thanks to running multiple Internet-facing services myself, this activity looks like typical service scanning and probing activity that happens to most systems that are directly facing the Internet. It does not mean your server is directly under attack. Merely, what has happened is a service scanner found your server responded on port 22, and is repeatedly coming back and attempting to authenticate with weak passwords in an attempt to breach the server. This is not uncommon to see on Internet-facing connections.



There are a few things you can do, however, to mitigate this a little bit more:




  1. Disable SSH login access for the root user directly.



    Edit /etc/ssh/sshd_config, find the line that says PermitRootLogin and make sure it's set to prohibit-password or no.



    Note that you will need to have a non-root user that you can login to if you do this; this way you protect the root user, and you have a non-root user who can have sudo access configured for them so they can still execute superuser commands as needed. (NEVER SSH as root for your admin functions and actions!)



  2. Disable password authentication, and set up SSH Key Authentication as the only viable SSH login mechanism. There are a lot of guides on how to do this, such as this one from Digital Ocean.


  3. Set up something like fail2ban to help block the brute force attempts. This is a process in and of itself, but you can get basic setup done by doing sudo apt install fail2ban. This will set itself up by default to be enabled to protect SSH connectivity.






share|improve this answer






















  • This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
    – Ian McGowan
    1 min ago














up vote
6
down vote













This specific traffic is from a Chinese-sourced IP address (basic info of the IP address on dnslytics.com) and it is attempting to login with password authentication to your root user over SSH.



There are major concerns when running any Internet-facing service:




  1. ALL IP addresses everywhere when they get online are probed.

  2. When some probes find open ports such as SSH ports, malicious threat actors will attempt to continue probes to see if they can get into your system with password attacks.

Both of these are a defacto standard of Internet-facing services. And as such, many of these threats are ongoing. However, this happens to many services - not just SSH.



These types of probes are unlikely to cease. This is why you should be careful when exposing services to the Internet.



Based on what I've seen in the past, and my knowledge of IT Security, as well as the first-hand knowledge I've gained thanks to running multiple Internet-facing services myself, this activity looks like typical service scanning and probing activity that happens to most systems that are directly facing the Internet. It does not mean your server is directly under attack. Merely, what has happened is a service scanner found your server responded on port 22, and is repeatedly coming back and attempting to authenticate with weak passwords in an attempt to breach the server. This is not uncommon to see on Internet-facing connections.



There are a few things you can do, however, to mitigate this a little bit more:




  1. Disable SSH login access for the root user directly.



    Edit /etc/ssh/sshd_config, find the line that says PermitRootLogin and make sure it's set to prohibit-password or no.



    Note that you will need to have a non-root user that you can login to if you do this; this way you protect the root user, and you have a non-root user who can have sudo access configured for them so they can still execute superuser commands as needed. (NEVER SSH as root for your admin functions and actions!)



  2. Disable password authentication, and set up SSH Key Authentication as the only viable SSH login mechanism. There are a lot of guides on how to do this, such as this one from Digital Ocean.


  3. Set up something like fail2ban to help block the brute force attempts. This is a process in and of itself, but you can get basic setup done by doing sudo apt install fail2ban. This will set itself up by default to be enabled to protect SSH connectivity.






share|improve this answer






















  • This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
    – Ian McGowan
    1 min ago












up vote
6
down vote










up vote
6
down vote









This specific traffic is from a Chinese-sourced IP address (basic info of the IP address on dnslytics.com) and it is attempting to login with password authentication to your root user over SSH.



There are major concerns when running any Internet-facing service:




  1. ALL IP addresses everywhere when they get online are probed.

  2. When some probes find open ports such as SSH ports, malicious threat actors will attempt to continue probes to see if they can get into your system with password attacks.

Both of these are a defacto standard of Internet-facing services. And as such, many of these threats are ongoing. However, this happens to many services - not just SSH.



These types of probes are unlikely to cease. This is why you should be careful when exposing services to the Internet.



Based on what I've seen in the past, and my knowledge of IT Security, as well as the first-hand knowledge I've gained thanks to running multiple Internet-facing services myself, this activity looks like typical service scanning and probing activity that happens to most systems that are directly facing the Internet. It does not mean your server is directly under attack. Merely, what has happened is a service scanner found your server responded on port 22, and is repeatedly coming back and attempting to authenticate with weak passwords in an attempt to breach the server. This is not uncommon to see on Internet-facing connections.



There are a few things you can do, however, to mitigate this a little bit more:




  1. Disable SSH login access for the root user directly.



    Edit /etc/ssh/sshd_config, find the line that says PermitRootLogin and make sure it's set to prohibit-password or no.



    Note that you will need to have a non-root user that you can login to if you do this; this way you protect the root user, and you have a non-root user who can have sudo access configured for them so they can still execute superuser commands as needed. (NEVER SSH as root for your admin functions and actions!)



  2. Disable password authentication, and set up SSH Key Authentication as the only viable SSH login mechanism. There are a lot of guides on how to do this, such as this one from Digital Ocean.


  3. Set up something like fail2ban to help block the brute force attempts. This is a process in and of itself, but you can get basic setup done by doing sudo apt install fail2ban. This will set itself up by default to be enabled to protect SSH connectivity.






share|improve this answer














This specific traffic is from a Chinese-sourced IP address (basic info of the IP address on dnslytics.com) and it is attempting to login with password authentication to your root user over SSH.



There are major concerns when running any Internet-facing service:




  1. ALL IP addresses everywhere when they get online are probed.

  2. When some probes find open ports such as SSH ports, malicious threat actors will attempt to continue probes to see if they can get into your system with password attacks.

Both of these are a defacto standard of Internet-facing services. And as such, many of these threats are ongoing. However, this happens to many services - not just SSH.



These types of probes are unlikely to cease. This is why you should be careful when exposing services to the Internet.



Based on what I've seen in the past, and my knowledge of IT Security, as well as the first-hand knowledge I've gained thanks to running multiple Internet-facing services myself, this activity looks like typical service scanning and probing activity that happens to most systems that are directly facing the Internet. It does not mean your server is directly under attack. Merely, what has happened is a service scanner found your server responded on port 22, and is repeatedly coming back and attempting to authenticate with weak passwords in an attempt to breach the server. This is not uncommon to see on Internet-facing connections.



There are a few things you can do, however, to mitigate this a little bit more:




  1. Disable SSH login access for the root user directly.



    Edit /etc/ssh/sshd_config, find the line that says PermitRootLogin and make sure it's set to prohibit-password or no.



    Note that you will need to have a non-root user that you can login to if you do this; this way you protect the root user, and you have a non-root user who can have sudo access configured for them so they can still execute superuser commands as needed. (NEVER SSH as root for your admin functions and actions!)



  2. Disable password authentication, and set up SSH Key Authentication as the only viable SSH login mechanism. There are a lot of guides on how to do this, such as this one from Digital Ocean.


  3. Set up something like fail2ban to help block the brute force attempts. This is a process in and of itself, but you can get basic setup done by doing sudo apt install fail2ban. This will set itself up by default to be enabled to protect SSH connectivity.







share|improve this answer














share|improve this answer



share|improve this answer








edited 26 mins ago

























answered 52 mins ago









Thomas Ward♦

41.7k23114166




41.7k23114166











  • This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
    – Ian McGowan
    1 min ago
















  • This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
    – Ian McGowan
    1 min ago















This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
– Ian McGowan
1 min ago




This is a great summary, and there are some good tutorials on the digital ocean documentation site to follow to harden a server. One thing to add is setting up a firewall, UFW, and getting it configured and running before adding any new services.
– Ian McGowan
1 min ago

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1080056%2fis-my-server-under-attack%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more