As many of you have probably noticed, when you attach an ssh server to the internet on port 22 you almost instantly start getting attacked by bots.
As far as I can tell they'll go after default logins. One I see a lot is for the user "pi".
What the hell are the people running this stuff trying to achieve?
Has anyone found out anything interesting from setting up a honeypot?
Hudson Richardson
Pi is kodi for the raspberry pi which you can ssh into
Grayson Harris
Who connects a fucking raspberry pi to the internet directly with a dedicated IP address
Justin Moore
Stupid people...and then they get pwned instantly apparently.
Jonathan Jones
Who uses port 22?
Bentley Jones
changing ports doesn't actually do anything
pretty sure you can just nmap anyway
David Perry
what can I do if I ssh into a server as root and want to do as much damage as possible?
Hudson Gomez
it does a lot in terms of those automatic scans. Even throwing port 22 requests out there is already quite intensive when you try to map the internet, forget about nmapping every device
Nathaniel White
rm -R / --no-preserve-root
Doesn't get easier than that.
Julian Cook
You'd have to script for thousands of ports, hackers aren't stupid, they're lazy and looking for easy targets.
Mason Ortiz
you can easily try every port from 1 to 100000 in parallel
William Nguyen
That would take 100,000 times more computational work.
Dominic Watson
or you can try device 1 to 100000 in parallel
Nolan Hernandez
It deters those that just use a script. No, there aren't that many that use a script that finds the proper SSH port either. In fact, across like 7 or so servers that I've changed the SSH port too none of them get touched afterwards.
Then again the proper way to set it up is to only allow pubkey auth outside your network.
Joseph Torres
Find some dirty info on it and see if you can ransom ware it afterwards
Ethan Ward
>you can easily try every port from 1 to 100000 in parallel No, (You) can. Let me know if you come up with anything.
Tyler Diaz
Install Gentoo.
Adrian Miller
*1 to 65535
Gabriel Morgan
I got a VPS that's constantly attacked by Chinese IPs. It runs a proxy server that has an ACL for just my ISP and has iptables rules for SSH attacks. The mysql server gets attacked quite often but I disabled root login on that. I also run an email server on it but it hasn't been attacked (yet) and I have no protection.
What else should I do to prevent myself from attacks?
Josiah Taylor
Disable password login or use fail2ban.
Christian Young
Yeah I'm probably going to install fail2ban, I forgot about that
Thomas Rogers
1. Not sure if you have, but run mysql_secure_installation and do the steps required. 2. Require public key authentication only. 3. Change SSH port, it will deter automated scripts from attempting access, one single thing to change that will clear up your logs quite a bit. 4. If you have specific bots trying to access junk on some services look at fail2ban, maybe write custom filter/jails for it. 5. Minor MySQL thing, but only make users for specific databases and only give them control over that DB so not to lose everything in your instance.
That's some stuff off the top of my head.
Nathaniel Edwards
Also, you do not need fail2ban to rate limit, you can do that with iptables by the way.
Jordan Phillips
Oh and setup automated security updates if you haven't already for whatever distribution you're using. Keep the software for your email junk up to date, especially if you have a webmail frontend.
Noah Flores
>Then again the proper way to set it up is to only allow pubkey auth outside your network.
pubkey only, different port, no root login, and fail2ban
Christopher Bell
Thanks for the info
Hunter Rogers
Np mate, good luck.
Gavin Morris
Not him, but you seem knowledgable, I blocked China's entire IP range in /etc/hosts. Was this retarded? All nuisances seem to come from China.
Jaxon Reyes
nah, they deserve it
russia is another contender
Angel Parker
>tfw russian and websites wont allow you to visit, especially if something can be bought
can't really blame them though
Xavier Sanchez
Turn off passwords over SSH and you can sleep easy.
Watched a guy run a brute force people attack for 40 hours despite having passwords off.
It's sad some of these bots aren't smart enough to give up when they get a key error.
Michael Barnes
>Not him, but you seem knowledgable That's the first time anyone's called me that.
Meh, maybe slightly retarded, but unless you're hosting something publicly for others I wouldn't worry about it at all. After all if it's something you're using personally and you don't plan to go to China then don't worry about it.
David Reyes
you should also block them at the firewall level, too
Gavin Walker
Probably pointless. Just use fail2ban if your really concerned.
You are 100% safe with password logins off. Any computer with passwords on is asking to be owned. There is just no good reason to have that on.
Brayden Brooks
Holy shit I just checked my auth.log and found out that some bot in China has been brute forcing my Raspberry Pi every few minutes for the past week, probably longer. Exactly the same IP every time.
John Hill
yup, get a firewall solution and block them there
Henry Johnson
fail2ban a i l 2 b a n
Jack King
I used to get up to ten bots going over a list of usernames on my server before I installed knockd. Unless you're curious as to how bots work these days go and set that up.
Wyatt Mitchell
No scanning for available NAS to delete things from? No scanning for other hosts ion general? No searching for ssn.txt?