0

Hello i've just rented a server at hetzner.de, and decided to follow the toturials at linode for securing my server!

i've just completed setting up OSSEC and then right off the bat i get spammed with mails: 

    OSSEC HIDS Notification.
2016 Apr 04 17:33:10

Received From: Debian-83-jessie-64-LAMP->/var/log/auth.log
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):

Apr  4 17:33:08 Debian-83-jessie-64-LAMP sshd[16267]: Failed password for root from 81.246.42.242 port 48275 ssh2
Apr  4 17:33:07 Debian-83-jessie-64-LAMP sshd[16267]: Failed password for root from 81.246.42.242 port 48275 ssh2
Apr  4 17:32:27 Debian-83-jessie-64-LAMP sshd[16261]: Failed password for root from 81.246.42.242 port 50924 ssh2
Apr  4 17:32:25 Debian-83-jessie-64-LAMP sshd[16261]: Failed password for root from 81.246.42.242 port 50924 ssh2
Apr  4 17:32:23 Debian-83-jessie-64-LAMP sshd[16261]: Failed password for root from 81.246.42.242 port 50924 ssh2
Apr  4 17:31:42 Debian-83-jessie-64-LAMP sshd[16226]: Failed password for root from 81.246.42.242 port 43742 ssh2
Apr  4 17:31:40 Debian-83-jessie-64-LAMP sshd[16226]: Failed password for root from 81.246.42.242 port 43742 ssh2
Apr  4 17:31:38 Debian-83-jessie-64-LAMP sshd[16226]: Failed password for root from 81.246.42.242 port 43742 ssh2



--END OF NOTIFICATION

OSSEC HIDS Notification.
2016 Apr 04 17:44:09

Received From: Debian-83-jessie-64-LAMP->/var/log/auth.log
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Portion of the log(s):

Apr  4 17:44:08 Debian-83-jessie-64-LAMP sshd[17133]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=242.42-246-81.adsl-static.isp.belgacom.be  user=root



--END OF NOTIFICATION

i'm new to servers so not sure what to make off this? is it a random bot at belgacom.be that tries to break my password, should i just blacklist the ip?

user297239
  • 21

3 Answers3

3

Blacklisting the IP won't resolve your issue, moments later you will be attacked the same way by another IP.

81.246.42.242 is coming from Belgium (verified with ip2location). A method of resolving this is to block all IPs and only allow access to your IP or subnet. However I instead recommend using SSH-Keys and disable root ssh logins.

For more information; Firewall setup ssh key setup

encryptedwhisper
  • 31
2

Those sorts of events/logs for ssh are ubiquitous. Some people say "change the port" but as you can see, they scan all your ports, as you can see from the logs, so, IMHO, security through obscurity (changing port 22 for ssh) adds little to security and may or may not quiet the logs.

You need to secure your ssh server. Personally I use keys and disable passwords, root logins without-password, and a few rules in iptables.

I suggest you look at

How to harden an SSH server?

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

http://bodhizazen.com/Tutorials/SSH_security

Panther
  • 104,528
1

The first rule of IT Security is that you will get people trying to attack anything web facing.

Port 22 is a common target for port scanners and similar service breaching attacks. For SSH, running on a different port helps slightly to mitigate this; setting your firewall to filter on your SSH port so that only IPs you trust can reach SSH is a more effective system.

This is commonly seen with anything Internet facing. You are likely just one of many getting many root login attempts. Time to lock it down by changing ports and then IP restricting the connections you allow to your SSH port in the firewall.

Thomas Ward
  • 78,878