It's been some time since my Linode VPS has been up. Haven't been paying any attention to it since I've been busy coding a web application. Thought I'd do some housekeeping, starting with the logs files and guess what? There's quite a number of individuals who are keen on getting into the server. Keep trying as I need lots practice to keep you out. I get a couple of these unique visitors daily. Here's one. From the /var/log/auth.log,
Jun 19 10:13:03 debian sshd[327]: Invalid user mirain from 210.83.226.181 Jun 19 10:13:03 debian sshd[327]: pam_unix(sshd:auth): check pass; user unknown Jun 19 10:13:03 debian sshd[327]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181 Jun 19 10:13:05 debian sshd[327]: Failed password for invalid user mirain from 210.83.226.181 port 58621 ssh2 Jun 19 10:13:06 debian sshd[329]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT! Jun 19 10:13:06 debian sshd[329]: Invalid user opt2 from 210.83.226.181 Jun 19 10:13:06 debian sshd[329]: pam_unix(sshd:auth): check pass; user unknown Jun 19 10:13:06 debian sshd[329]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181 Jun 19 10:13:08 debian sshd[329]: Failed password for invalid user opt2 from 210.83.226.181 port 58909 ssh2 Jun 19 10:13:10 debian sshd[331]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT! Jun 19 10:13:10 debian sshd[331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181 user=root Jun 19 10:13:12 debian sshd[331]: Failed password for root from 210.83.226.181 port 59144 ssh2 Jun 19 10:13:13 debian sshd[333]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT! Jun 19 10:13:13 debian sshd[333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181 user=root Jun 19 10:13:16 debian sshd[333]: Failed password for root from 210.83.226.181 port 59447 ssh2 Jun 19 10:13:17 debian sshd[335]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT! Jun 19 10:13:17 debian sshd[335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181 user=root Jun 19 10:13:19 debian sshd[335]: Failed password for root from 210.83.226.181 port 59763 ssh2 Jun 19 10:13:21 debian sshd[337]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed
A quick google gives some simple tips for my ssh setup. I'll just list it here for future reference.
-
Disable root login. In
/etc/ssh/sshd_config
PermitRootLogin no
-
Change the port sshd is running on, e.g.
Port 2229
- Install fail2ban. Package description: bans IPs that cause multiple authentication errors
- Change the shell for
nobody
to/bin/false
or/bin/nologin
There's still others but these will do for now. Have to get back to coding.