SSH Breach on a New Machine?
SSH Breach on a New Machine?
Hi guys,
I set a pretty strong password on my brand new setup yesterday. Today I see 2 root logins from China and one from Germany... can someone please look into this?
I set a pretty strong password on my brand new setup yesterday. Today I see 2 root logins from China and one from Germany... can someone please look into this?
Code: Select all
ashm@cp:~$ sudo netstat -tnpa | grep 'ESTABLISHED.*sshd'
[sudo] password for ashm:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 68 10.20.0.5:22 221.194.44.195:48134 ESTABLISHED 1376/sshd: root [pr
tcp 0 0 serverip:22 185.101.92.193:23561 ESTABLISHED 1236/sshd: [accepte
tcp 0 68 10.20.0.5:22 221.194.44.224:58094 ESTABLISHED 1372/sshd: root [pr
tcp 0 64 serverip:22 myip:51136 ESTABLISHED 730/sshd: ashm [p
ashm@cp:~$ sudo ps auxwww | grep sshd:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 730 0.0 1.3 95404 6588 ? Ss 09:10 0:00 sshd: ashm [priv]
ashm 899 0.0 0.7 95404 3592 ? S 09:10 0:00 sshd: ashm@pts/0
root 1372 0.0 1.3 94276 6620 ? Ss 09:12 0:00 sshd: root [priv]
sshd 1373 0.0 0.6 66864 3272 ? S 09:12 0:00 sshd: root [net]
root 1443 0.0 1.3 94032 6644 ? Ss 09:12 0:00 sshd: root [priv]
sshd 1444 0.0 0.6 66864 3268 ? S 09:12 0:00 sshd: root [net]
root 1484 0.0 1.2 94032 6376 ? Ss 09:14 0:00 sshd: root [priv]
sshd 1485 0.0 0.6 66864 3216 ? S 09:14 0:00 sshd: root [net]
ashm 1487 0.0 0.1 12944 964 pts/0 S+ 09:14 0:00 grep --color=auto sshd:
ashm@cp:~$ who -a
system boot 2017-02-14 01:18
run-level 5 2017-02-14 01:18
LOGIN tty1 2017-02-14 01:18 1700 id=tty1
LOGIN ttyS0 2017-02-14 01:18 1692 id=tyS0
ashm + pts/0 2017-02-14 09:10 . 730 (myip)Re: SSH Breach on a New Machine?
Depends what a "pretty strong password" means really. If the password does not have a combination of numbers and other characters (such as $?%?^?) you may get brute forced.
However, if you did have a relatively good password, this may be a cause for investigation for the VestaCP team.
However, if you did have a relatively good password, this may be a cause for investigation for the VestaCP team.
Re: SSH Breach on a New Machine?
The password did contain special characters, Fail2Ban was also on to prevent brute forcing. I had since shut the system down, but could you tell based on the info I had provided, whether they had successfully logged into the machine?
I did look at:
The entries looked legit but I'm not sure if they could've simply erased the log upon login.
I did look at:
Code: Select all
sudo cat /var/log/auth.log | grep "Accepted password for"Re: SSH Breach on a New Machine?
If i were you i would email VestaCP guys and give them access to the server temporarily for investigation to see what really happened.
Im sure they'd also like to know what is going on here.
I assume the server was new? and you installed VestaCP just after?
Im sure they'd also like to know what is going on here.
I assume the server was new? and you installed VestaCP just after?
Re: SSH Breach on a New Machine?
Yes it was a fresh Vesta install right after Ubuntu 16.04.2 LTS image installation. I ran these:
Code: Select all
apt-get update
apt-get upgrade
curl -O http://vestacp.com/pub/vst-install.sh
delgroup admin
shutdown -r now
bash vst-install.sh --nginx yes --apache yes --phpfpm no --vsftpd no --proftpd yes --exim yes --dovecot yes --spamassassin yes --clamav yes --named yes --iptables yes --fail2ban yes --mysql yes --postgresql no --remi yes --quota yes
...
Re: SSH Breach on a New Machine?
This is not a security issue
This only mean than you have a conection to port 22
So if you do a ssh root@YourServerIP
You get a ESTABLISHED 1376/sshd: root
But not mean than you have something in your server
So that is a brute force atack only is imposible get password in some minutes if you not use qwert or "test" as password
You need check your auth.log or your secure ( in centos ) to check if there are any sucefull login or use "w" comand
But that ESTABLISHED is very normal if you not change your SSH PORT
You can do a ssh root@yourip and give it conected whitout put your password and you get a established until ssh kill that connection
Code: Select all
tcp 0 68 10.20.0.5:22 221.194.44.195:48134 ESTABLISHED 1376/sshd: root [prSo if you do a ssh root@YourServerIP
You get a ESTABLISHED 1376/sshd: root
But not mean than you have something in your server
So that is a brute force atack only is imposible get password in some minutes if you not use qwert or "test" as password
You need check your auth.log or your secure ( in centos ) to check if there are any sucefull login or use "w" comand
But that ESTABLISHED is very normal if you not change your SSH PORT
You can do a ssh root@yourip and give it conected whitout put your password and you get a established until ssh kill that connection
Re: SSH Breach on a New Machine?
I did look through auth.log and only found my own successful login attempts. I was under the impression that when PermitRootLogin is set to no root connections would be dropped. But I'll presume this is normal from now.
Thank you for the replies.
Thank you for the replies.
Re: SSH Breach on a New Machine?
Also, if you arent already, i highly recommend that you use SSH keys to make your server 100% safe from brute-force attacks.
I personally dont agree with changing port to something other than 22 because it doesnt do anything other than block bots. If you want to save 1-2mb at most, then its a good thing. Otherwise, there's no point. Anyone can run port scans.
I personally dont agree with changing port to something other than 22 because it doesnt do anything other than block bots. If you want to save 1-2mb at most, then its a good thing. Otherwise, there's no point. Anyone can run port scans.
Re: SSH Breach on a New Machine?
Will do, thanks.