[SOLVED] invalid user ssh into my ubuntu server constantly ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
man, the invalid attempt to login into ssh server is not stopping.. keeps logging new failed attempt.
Between 10,000 and 20,000 attempts per day on a couple of my web servers. About 5,000 a day on servers that don't host anything. So, yeah, it's totally normal for a public facing server.
Between 10,000 and 20,000 attempts per day on a couple of my web servers. About 5,000 a day on servers that don't host anything. So, yeah, it's totally normal for a public facing server.
Just to add another anecdote to indicate the scale of the annoyance, I just spot checked one and it has over 22k invalid user attacks against SSH during just the last 6 hours.
Where only you have access to that machine until you understand the Services you have enabled and how exploits of those Services carried out.
(You learn how it's done and try to hack yourself.)
Quote:
Originally Posted by ondoho
And some users will always be alarmed by it, thinking they're actually getting hacked (and not thinking: my system does the right thing here).
Tech's in charge of reviewing abuse reports used to have a name for people who were fixated on firewall logs and constantly reported false alarms.
I am a bit confused now. Is OPENSSH equal to the ssh in my laptop ? or they are 2 different software ? I can't figure it out. Initially i thought they are the same, after that i thought they are different.. then when i did some browsing.. i think they are the exact samething..
Just to add another anecdote to indicate the scale of the annoyance, I just spot checked one and it has over 22k invalid user attacks against SSH during just the last 6 hours.
LOL
You must have "gold bars" stored in the vault of your server .lol
I am a bit confused now. Is OPENSSH equal to the ssh in my laptop ? or they are 2 different software ? I can't figure it out. Initially i thought they are the same, after that i thought they are different.. then when i did some browsing.. i think they are the exact samething..
Strictly speaking, SSH is the protocol. There are several suites of software which support the SSH protocol: OpenSSH, Teleport, Tectia, Dropbear, etc. In principle they should all be able to connect to each other since they all claim to use the same standard protocol. OpenSSH is the suite used on pretty much any GNU/Linux distro out there today.
However, any of those suites provide both a client and a server because the style of architecture the SSH protocol is built around is "client-server". And loosely speaking, SSH can refer to either the SSH client or the SSH server in informal speech depending on context. The client is the software which provides the interface you or your scripts interact with and which connects you to the server on the remote system. That's what's on your laptop if you are connecting from it. The server provides the software which waits over on the system you connect to and listens for and processes incoming SSH connections. That's what's getting pounded on as bots try to jiggle the doorknob so to speak. It's only going to let in those authorized to get in but that does not stop the bots from trying. As mentioned, turning off password authentication, after setting up keys or certificates, will scare off most of the bots.
Last edited by Turbocapitalist; 08-23-2021 at 10:10 AM.
Strictly speaking, SSH is the protocol. There are several suites of software which support the SSH protocol: OpenSSH, Teleport, Tectia, Dropbear, etc. In principle they should all be able to connect to each other since they all claim to use the same standard protocol. OpenSSH is the suite used on pretty much any GNU/Linux distro out there today.
However, any of those suites provide both a client and a server because the style of architecture the SSH protocol is built around is "client-server". And loosely speaking, SSH can refer to either the SSH client or the SSH server in informal speech depending on context. The client is the software which provides the interface you or your scripts interact with and which connects you to the server on the remote system. That's what's on your laptop if you are connecting from it. The server provides the software which waits over on the system you connect to and listens for and processes incoming SSH connections. That's what's getting pounded on as bots try to jiggle the doorknob so to speak. It's only going to let in those authorized to get in but that does not stop the bots from trying. As mentioned, turning off password authentication, after setting up keys or certificates, will scare off most of the bots.
So, you said any ssh server in theory can communicate with any ssh client..
Hee hee, i think the bots are trying to "jiggle" the door, is because i didn't totally disable password authentication. I have 2 account to ssh server, 1 is using ssh key, the other still using password.. . I was learning the ssh key stuff.. i leave myself a backdoor in case i screwed up the ssh key or something.. .. No yet learn how to use fail2ban....
So, you said any ssh server in theory can communicate with any ssh client..
Hee hee, i think the bots are trying to "jiggle" the door, is because i didn't totally disable password authentication. I have 2 account to ssh server, 1 is using ssh key, the other still using password.. . I was learning the ssh key stuff.. i leave myself a backdoor in case i screwed up the ssh key or something.. .. No yet learn how to use fail2ban....
An you might not need fail2ban (as much as I love it) if you restrict your ssh protocol traffic to your local subnet. They cannot break in using ssh, if they cannot connect to any ssh server.
As a sysadmin, I have used server security, network security, application security, and protocol security. For large and legal issues there is no step to trivial to take (because of what is at stake), but for a home network it seems best to use the most simple and easy solution to eliminate the problem.
An you might not need fail2ban (as much as I love it) if you restrict your ssh protocol traffic to your local subnet. They cannot break in using ssh, if they cannot connect to any ssh server.
As a sysadmin, I have used server security, network security, application security, and protocol security. For large and legal issues there is no step to trivial to take (because of what is at stake), but for a home network it seems best to use the most simple and easy solution to eliminate the problem.
Thanks for the advice.
As much as i trying to grasp what you mean, i still can't get it all.
I think you meant put the ssh server in my own local network .. so the bots won't be able to "jiggle the door of " ssh.
I have not reach to that level yet.. i rented a server on digital ocean to try it, so it is public facing , and can't be place behind my local subnet.
Thanks for the advice.
As much as i trying to grasp what you mean, i still can't get it all.
I think you meant put the ssh server in my own local network .. so the bots won't be able to "jiggle the door of " ssh.
I have not reach to that level yet.. i rented a server on digital ocean to try it, so it is public facing , and can't be place behind my local subnet.
Are you only going to access that server from home? If you have a fixed address, you can set it to only allow ssh from your address. If your address is variable (set using DHCP by your ISP) but in a fixes range, you can allow only that range. This restriction can be set in a firewall or using networking stack features (TCP wrapper), or the "Allow Users" setting (in the sshd server conf file) which can restrict by user name and source address or source subnet. Check your man pages or run a quick search. It is not secret information. ;-)
Thanks for the advice.
As much as i trying to grasp what you mean, i still can't get it all.
I think you meant put the ssh server in my own local network .. so the bots won't be able to "jiggle the door of " ssh.
I have not reach to that level yet.. i rented a server on digital ocean to try it, so it is public facing , and can't be place behind my local subnet.
I know this is not the answer you want to hear, but being so clueless (as you yourself admit) means you shouldn't be running a public-facing server at all.
You are endangering the whole internet, not only yourself - if someone manages to break in there, deposit and activate some malware.
I know this is not the answer you want to hear, but being so clueless (as you yourself admit) means you shouldn't be running a public-facing server at all.
You are endangering the whole internet, not only yourself - if someone manages to break in there, deposit and activate some malware.
If someone manage to break in.. can i still take over the server back ? i mean, can i delete the whole server project from digital ocean web interface ?
should be able right ?
I have to dive into to get some experience start from somewhere.. ..
If someone manage to break in.. can i still take over the server back ? i mean, can i delete the whole server project from digital ocean web interface ?
should be able right ?
Yes, but the bigger question is: will you even notice?
I see you're busy reading log files, but you aren't able to separate the harmless entries from the potentially harmful ones.
You simply might not recognize the signs - keep in mind, a succesful hacker doesn't want you to notice. They want to keep on using your computer for as long as possible.
Quote:
Originally Posted by andrewysk
I have to dive into to get some experience start from somewhere.. ..
You can do that locally, in your own LAN, or even create one with a virtual machine that you log into from your bare metal install.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.