Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server that is fully exposed to the internet. I am seeing that there are many failed ssh connections and I am sure the same goes for other protocols. I was thinking maybe to throttle the port with iptables to like 1 connection per whatever, which I am not 100% on how to do that so, if someone could point me to the right direction that would be great. I am going to try using MaxStartups in the meantime which might help a little bit. I am open to suggestions though.
There is some form of automated malware (a scanner or "worm") that is currently circulating around the internet. It attempts several very simple username-password combinations (like "admin" "test" etc). Unless you have extremely poor passwords, then you really have nothing to worry about. It doesn't appear to be a true brute force attack.
You can eliminate these ssh login attempts by restricting ssh access to only the hosts you need to provide access. This can be done via iptables or tcp_wrappers (hosts.allow/deny). If you cannot restrict access, then make sure you are using a sensible password policy.
yeah thats what I am seeing. It's test guest admin and user that I am seeing, and those are not accounts on my server so they cant get in anyway. The only one I am concerned about is there were 12 failed login attempts to the root account. I have been blocking the ips as I see them and they all seem to be from either korea or taiwan.
--edit--
maybe disabling the root login from ssh might do the trick and just have one account that can su over.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.