Jump to content
Phishing Emails & YouTube Messages - Fake Giveaway Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...
unreal-dream

Someone is hacking my server,I need your help

Recommended Posts

Posted · Original PosterOP

Today's morning,I checked my server log,I found this . Someone is keep trying to login my server through ssh and telnet,what should I do? Do I need to shutdown my server?

捕获.PNG

捕获2.PNG

Link to post
Share on other sites

It's called the public internet. You need to setup security measures to stop bots and crawlers. People will make crawlers that try every single public IP with default parameters like admin password for ssh and so on. If you aren't using ports close them, disabled functions that you don't use, also use something like fail2ban in tandem with iptables to protect yourself. I setup fail2ban and set my ssh parameters to block the IP forever if it failed more than twice in the timespan of 8 hours and I have over 40,000 IPs banned already. It's scary


PC Specs: i7 6EiGht00K (4.4ghz), Asus DeLuxe X99A II, GTX1080 Zotac Amp ExTrEme),64Gb DOminator PlatinUm, EVGA G2 seven5zeroWatt, Phanteks Enthoo Primo, 3TB WD Black, 500gb 850 Evo, H100iGTX, Windows 10, K70 RGB, G502, HyperX Cloud 2s, Asus MX34. SAMSUNG 960 EVO

Just keeping this here as a backup 980tiZotacStockBIOS.zip☻♥■∞{╚§XÅD{┘Æ╩mYÄÜXτ╕○\╚Θº£¥ΘBM@Q05♠{{↨↨▬§¶‼↕◄►☼1♦  wumbo

Link to post
Share on other sites

I'm pretty confident that it's crawlers/bots due to the constant password attempts.

Set up security measures, @BuckGup has given some pretty good instructions about how to do so.

 

 

 


I'm not liable for anything that may happen to you and your PC if you decide to follow my advice. Take everything I say with a grain of salt, some things may not be correct.

Make sure to tag or quote who you are trying to reply to, that way they will see your answer.

Useful links: Community Standards | PSU Tier List 3.0 | Posting Guidelines | Build recommendations

 

Link to post
Share on other sites

Looks like everything is working fine, no successful logins. It's not "hacking" - more "knocking on the door." Unavoidable garbage traffic.

 

Should really watch successful logins / actions more than you do failure. Ony time it is important to watch for failures is when you think (D)DoS is occuring..

 

I would just ignore it.

Link to post
Share on other sites

You should see the logs on my firewall... The internet is a filthy cesspool of this crap. Strong Passwords, and possibly consider putting a firewall/router in front of that server, block all the ports you aren't using, and decrease the number of attack vectors to your server. Telnet... Gross. 

Link to post
Share on other sites

Best practice would be to use cert based authentication, then disable password authentication. 

I have a Pi I use at home as an SSH jumphost on the SSH port rather than direct to any of my servers. That has password authentication enabled still, but it has fail2ban on it.


Spoiler

Intel i7 3770K @ 4.6ghz | EVGA Z77 FTW | 2 x EVGA GTX1070 FTW | 32GB (4x8GB) Corsair Vengeance DDR3-1600 | Corsair H105 AIO, NZXT Sentry 3, Corsair SP120's | 2 x 256GB Samsung 850EVO, 4TB WD Black | Phanteks Enthoo Pro | OCZ ZX 1250w | Samsung 28" 4K Display | Ducky Shine 3 Keyboard, Logitech G502, MicroLab Solo 7C Speakers, Razer Goliathus Extended, X360 Controller | Windows 10 Pro | SteelSeries Siberia 350 Headphones

 

Spoiler

Corsair 400R, IcyDock MB998SP & MB455SPF, Seasonic X-Series 650w PSU, 2 x Xeon E5540's, 24GB DDR3-ECC, Asus Z8NA-D6C Motherboard, AOC-SAS2LP-MV8, LSI MegaRAID 9271-8i, RES2SV240 SAS Expander, Samsung 840Evo 120GB, 2 x 8TB Seagate Archives, 12 x 3TB WD Red

 

Link to post
Share on other sites

On my own Linux server I disabled SSH/SFTP password authentication and setup public/private key authentication w/ a required password (in a sense kind of like 2FA). This solved my issue of bots on the internet trying to login.

Link to post
Share on other sites
14 hours ago, avm5689 said:

I never expose SSH (or RDP) to the internet. I always use a VPN like OpenVPN or Pritunl. OCserv works well too.

SSH properly secured isn't any different than a VPN in terms of safety. VPN just makes it easier to route the traffic and access a specific set of resources, which you can yet still achieve with SSH + routing tables of the O/S. When one of, if not the, largest vendors of web services has a guide on how to connect VIA SSH, it's fair to say it is a safe protocol.

 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

 

 

That said I would never expose a default configured SSH daemon to the internet.

Link to post
Share on other sites
On 1/30/2019 at 6:36 PM, mtz_federico said:

Just change the default port for ssh (if you dont use telnet block it), use ssh keys and block ssh acces for the root user

don't do that.... its ugly and accomplishes absolutely nothing.

 

fail2ban, don't use password auth, use cert based auth and keep your cert with a password. if you want more tight security use your firewall/iptables to only allow the traffic the server needs to use in and out. if you have a static ip you may want to limit ssh access to a specific IP.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×