Question

14

Is someone trying to hack into my server? What can I do?

rated 0 times [ 14] [ 0] / answers: 1 / hits: 13902 / 3 Years ago, sun, may 23, 2021, 5:10:53

A few weeks ago I posted a question here about some ssh issues I was having with an Ubuntu 12.04 box. Fast forward to today and I am trying to allow someone else access to the machine, but they keep getting password errors. I checkout out var/logs/auth.log for more info, and found this:

May 11 19:45:33 myserver sshd[9264]: Did not receive identification string from 211.110.xxx.x

May 11 19:45:38 myserver sshd[9267]: Did not receive identification string from 211.110.xxx.x

May 11 19:45:44 myserver sshd[9270]: Did not receive identification string from 211.110.xxx.x

May 11 19:45:49 myserver sshd[9274]: Did not receive identification string from 211.110.xxx.x

I have almost 10000 lines that all seem to say more or less the same thing (there are also 4 auth.log.gz files, which I'm assuming are more of the same?). Sometimes there is a random username attached to the request, input_userauth_request: invalid user bash [preauth]

I don't know much about servers, but it looks like someone is trying to gain access to mine.

Googled around for how to block an IP address in Ubuntu and ended up with this: iptables -A INPUT -s 211.110.xxx.x -j DROP, but after running that command and checking the logs, I'm still getting requests from this one IP every 5 seconds.

How can I find out more about what's going on and deal with these constant requests?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

guialk

Add To Favorites

Follow

Total Points: 300

Total Questions: 144

Total Answers: 121

Location: Saint Vincent and the Grenadines

Member since Sat, Sep 11, 2021

3 Years ago

answered 3 Years ago deringach · Accepted Answer

From what you describe, it looks like an automated attack on your server. Most attacks are, unless the attacker knows you personally and is holding a grudge...

Anyway, you might want to look into denyhosts, which you can get from the usual repos. It can analyse repeated attempts and will block their IP address. You may still get something in your logs, but it will at least help mitigate any security concerns.

As for getting more information, I really wouldn't bother. Unless they're an amateur, they'll be using a remote server to do their dirty work which will tell you nothing about who they really are. Your best bet is to find the admin for the IP range (WHOIS is your friend here), and let them know that you're getting a lot of access attempts from that IP. They may be good enough to do something about it.