Someone is hacking my server,I need your help

[unreal-dream]

Today's morning,I checked my server log,I found this . Someone is keep trying to login my server through ssh and telnet,what should I do? Do I need to shutdown my server?

[BuckGup]

It's called the public internet. You need to setup security measures to stop bots and crawlers. People will make crawlers that try every single public IP with default parameters like admin password for ssh and so on. If you aren't using ports close them, disabled functions that you don't use, also use something like fail2ban in tandem with iptables to protect yourself. I setup fail2ban and set my ssh parameters to block the IP forever if it failed more than twice in the timespan of 8 hours and I have over 40,000 IPs banned already. It's scary

[XR6]

I'm pretty confident that it's crawlers/bots due to the constant password attempts.

Set up security measures, @BuckGup has given some pretty good instructions about how to do so.

 

 

 

[Denned]

Like the other have said. Setup fail2ban and also disable telnet.

[Mikensan]

Looks like everything is working fine, no successful logins. It's not "hacking" - more "knocking on the door." Unavoidable garbage traffic.

 

Should really watch successful logins / actions more than you do failure. Ony time it is important to watch for failures is when you think (D)DoS is occuring..

 

I would just ignore it.

[FitnessOgre]

You should see the logs on my firewall... The internet is a filthy cesspool of this crap. Strong Passwords, and possibly consider putting a firewall/router in front of that server, block all the ports you aren't using, and decrease the number of attack vectors to your server. Telnet... Gross. 

[Jarsky]

Best practice would be to use cert based authentication, then disable password authentication. 

I have a Pi I use at home as an SSH jumphost on the SSH port rather than direct to any of my servers. That has password authentication enabled still, but it has fail2ban on it.

[Windows7ge]

On my own Linux server I disabled SSH/SFTP password authentication and setup public/private key authentication w/ a required password (in a sense kind of like 2FA). This solved my issue of bots on the internet trying to login.

[avm5689]

I never expose SSH (or RDP) to the internet. I always use a VPN like OpenVPN or Pritunl. OCserv works well too.

[Mikensan]

14 hours ago, avm5689 said:

I never expose SSH (or RDP) to the internet. I always use a VPN like OpenVPN or Pritunl. OCserv works well too.

SSH properly secured isn't any different than a VPN in terms of safety. VPN just makes it easier to route the traffic and access a specific set of resources, which you can yet still achieve with SSH + routing tables of the O/S. When one of, if not the, largest vendors of web services has a guide on how to connect VIA SSH, it's fair to say it is a safe protocol.

 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

 

 

That said I would never expose a default configured SSH daemon to the internet.

[VikasRana]

You need an intrusion detection software

https://en.wikipedia.org/wiki/Intrusion_detection_system

[mtz_federico]

Just change the default port for ssh (if you dont use telnet block it), use ssh keys and block ssh acces for the root user

[lacion]

On 1/30/2019 at 6:36 PM, mtz_federico said:

Just change the default port for ssh (if you dont use telnet block it), use ssh keys and block ssh acces for the root user

don't do that.... its ugly and accomplishes absolutely nothing.

 

fail2ban, don't use password auth, use cert based auth and keep your cert with a password. if you want more tight security use your firewall/iptables to only allow the traffic the server needs to use in and out. if you have a static ip you may want to limit ssh access to a specific IP.