Robert Hughes's picture

Help!

A couple of days ago I setup a new debian lamp stack with turnkey on an EC2 instance using the default turnkey security group that only allows a few ports. I was examining the logs just now and noticed multiple SSH root login attempts on what looks like random ports.

3 questions:

1. What the hell is this from?

2. Should I be concerned?

3. What can I do to stop it?

I've attached a small section of the log file.

 

Thanks in advance,

Robert

Forum: 
Robert's picture

*bump*

Anything? Anybody?

Liraz Siri's picture

There's no special cause for concern. It's just a routine root password bruteforcing attempt. They're looking for low hanging fruit. But if practical you can tighten the screws by moving SSH to a non default port (e.g., not 22), and disabling password authentication.

For what it's worth this is happening to everyone. The attacks are automated and carried out on an Internet scale by millions of compromised computers on botnets. The correct question to ask isn't who is behind this, but who isn't behind this. Even your favorite western governments are in on the fun:

NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

Liraz Siri's picture

FWIW, you misunderstood what the random port numbers in the logs mean. They are not destination ports the attacker is connecting to on your computer but source ports the attacker is connecting from. To be honest, it's kind of useless information. I'm not even sure what the point of logging that is. SSH on your computer is listening on port 22. Change it to something else and they might pass you by. Or not.
Robert's picture

Thanks Liraz for your help on this.

OnePressTech's picture

Moving root login to another port just moves the brute force attack point. As Liraz said...the robots may pass you by...or they may just run through all your ports until they get a reaction.

The general security recommendation would be to disable root login. If you think about it, root is just an obvious account name. If you do all your work using an account you choose the name of, the likelihood of a successful attack is low. Add on a login retry attempt timeout and / or 2-factor authentication and no one will likely get in. I use 24 character randomised account names and 64 character randomised passwords with port 22 blocked to all but my IP address.

As with any increased security there are increased inconveniences....

1) a non-root account with root priviledges does not allow you to do everything a root account can do (not sure what the O/S design thinking was there) so you will need to login using your root-capable admin account then >su root login (don't disable root account just disable ssh login).

2) My favorite WinSCP tool becomes useless since it can't issue a post-login >su command to switch to root mode. Need to rely on Webmin which is a poor substitute since it doesn't support bulk file update and I have had little success with its gzip utility if I upload a bunch of files in a zip form.

nyone else have a favorite security strategy to share?

 

Cheers,

Tim (Managing Director - OnePressTech)

Jeremy Davis's picture

Personally I usually just disable password login and leave everything else default (and login with keys). That way SFTP works like normal. I guess you could still change the port too.

Add new comment