lotuspsychje | good morning | 03:00 |
---|---|---|
=== JanC is now known as Guest6387 | ||
=== JanC_ is now known as JanC | ||
leftyfb | man, there's been a HUGE uptick in ssh attacks on my servers. All of which run on non-standard ports and don't allow password auth. | 14:15 |
pragmaticenigma | leftyfb, how do you monitor your ssh service? | 14:19 |
leftyfb | fail2ban | 14:19 |
leftyfb | I get emails for every block | 14:19 |
pragmaticenigma | oh... if I don't have that, do you have a recommendation for a log file to monitor? | 14:19 |
leftyfb | the last few nights I wake up to hundreds of emails | 14:19 |
leftyfb | fail2ban already has built-in rules for ssh. You should only have to enable ssh | 14:20 |
pragmaticenigma | I don't have fail2ban... nor emails setup | 14:20 |
leftyfb | sudo apt install fail2ban | 14:21 |
leftyfb | you could install something like ssmtp for outbound emails | 14:21 |
pragmaticenigma | `tail -fn 500 /var/log/auth.log` seems to be enough for what I need at the moment | 14:22 |
leftyfb | fail2ban automatically blocks ip's if there's too many failed logins | 14:22 |
pragmaticenigma | I'm just trying to see if I have a concern... thanks for the suggestion. I'm just going to close the port on the firewall for now | 14:23 |
leftyfb | I also have it monitoring email and web logs | 14:23 |
leftyfb | I wrote some custom plugins specifically for wordpress looking for attempts at vulnerabilities | 14:24 |
leftyfb | also failed logins on the wordpress admin page | 14:24 |
pragmaticenigma | I haven't seen this aggressive of attempts to ssh since before I switched to using non-standard report... wonder what's going on | 14:29 |
pragmaticenigma | there... that should reduce my unwanted activity... only IPs from my region are allowed... not a perfect solution, but cuts out a lot of the noise | 15:46 |
pragmaticenigma | now to look into other tools | 15:47 |
oerheks | Suricata ? | 15:57 |
pragmaticenigma | I'll probably go the fail2ban route like lefty | 16:03 |
oerheks | yes, that should be standard nowadays. | 16:05 |
oerheks | Suricata comes in mind after they break in.. | 16:05 |
leftyfb | "after they break in" = wipe machine and start rebuild/restore | 16:06 |
oerheks | with root login, sure. | 16:06 |
leftyfb | any login | 16:07 |
leftyfb | PEV's exist | 16:07 |
pragmaticenigma | indeed... if someone has gotten into the system, time to wipe and start over | 16:23 |
arraybolt3 | this makes me curious... | 18:47 |
arraybolt3 | huh, well that's alarming, I see the SSH server I'm on has plenty of attacks against it too | 18:49 |
arraybolt3 | people trying to log in as root, telecomadmin, test, admin1, webadmin, and some weird ones like yvonne and thomnode (? no one named either of those names uses our server) | 18:51 |
leftyfb | "plenty of attacks" is normal | 19:02 |
leftyfb | but there's been a significant uptick | 19:03 |
pragmaticenigma | yep... big up tick... especially when running on non-standard port being very intriguing | 19:04 |
leftyfb | I changed the port on most of my servers and cut down the reports significantly | 19:22 |
leftyfb | until the idiots update their scripts or they have port scanners and ping my new port which feeds to their ssh attack script | 19:23 |
leftyfb | usually they don't put that much effort into it though | 19:23 |
leftyfb | March 10th looks to be the craziest for some reason | 19:23 |
pragmaticenigma | more like... once tried... why does it keep trying to get in? script kiddie no doubt | 19:25 |
pragmaticenigma | possible that this one of those a hack-as-a-service outfits ? | 19:26 |
leftyfb | it's trying different user/pass combinations | 19:26 |
leftyfb | https://paste.ubuntu.com/p/4CKtkGRDJt/ | 19:27 |
leftyfb | these are the number of attempts per day for this month | 19:27 |
pragmaticenigma | probably coming from rainbow tables | 19:27 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!