As many of you have probably noticed, when you attach an ssh server to the internet on port 22 you almost instantly start getting attacked by bots.
As far as I can tell they'll go after default logins. One I see a lot is for the user "pi".
What the hell are the people running this stuff trying to achieve?
Has anyone found out anything interesting from setting up a honeypot?
Pi is kodi for the raspberry pi which you can ssh into
Who connects a fucking raspberry pi to the internet directly with a dedicated IP address
Stupid people...and then they get pwned instantly apparently.
Who uses port 22?
changing ports doesn't actually do anything
pretty sure you can just nmap anyway
what can I do if I ssh into a server as root and want to do as much damage as possible?
it does a lot in terms of those automatic scans. Even throwing port 22 requests out there is already quite intensive when you try to map the internet, forget about nmapping every device
rm -R / --no-preserve-root
Doesn't get easier than that.
You'd have to script for thousands of ports, hackers aren't stupid, they're lazy and looking for easy targets.
you can easily try every port from 1 to 100000 in parallel
That would take 100,000 times more computational work.
or you can try device 1 to 100000 in parallel
It deters those that just use a script. No, there aren't that many that use a script that finds the proper SSH port either. In fact, across like 7 or so servers that I've changed the SSH port too none of them get touched afterwards.
Then again the proper way to set it up is to only allow pubkey auth outside your network.
Find some dirty info on it and see if you can ransom ware it afterwards
>you can easily try every port from 1 to 100000 in parallel
No, (You) can. Let me know if you come up with anything.
Install Gentoo.
*1 to 65535
I got a VPS that's constantly attacked by Chinese IPs. It runs a proxy server that has an ACL for just my ISP and has iptables rules for SSH attacks. The mysql server gets attacked quite often but I disabled root login on that.
I also run an email server on it but it hasn't been attacked (yet) and I have no protection.
What else should I do to prevent myself from attacks?
Disable password login or use fail2ban.
Yeah I'm probably going to install fail2ban, I forgot about that
1. Not sure if you have, but run mysql_secure_installation and do the steps required.
2. Require public key authentication only.
3. Change SSH port, it will deter automated scripts from attempting access, one single thing to change that will clear up your logs quite a bit.
4. If you have specific bots trying to access junk on some services look at fail2ban, maybe write custom filter/jails for it.
5. Minor MySQL thing, but only make users for specific databases and only give them control over that DB so not to lose everything in your instance.
That's some stuff off the top of my head.
Also, you do not need fail2ban to rate limit, you can do that with iptables by the way.
Oh and setup automated security updates if you haven't already for whatever distribution you're using. Keep the software for your email junk up to date, especially if you have a webmail frontend.
>Then again the proper way to set it up is to only allow pubkey auth outside your network.
pubkey only, different port, no root login, and fail2ban
Thanks for the info
Np mate, good luck.
Not him, but you seem knowledgable, I blocked China's entire IP range in /etc/hosts. Was this retarded? All nuisances seem to come from China.
nah, they deserve it
russia is another contender
>tfw russian and websites wont allow you to visit, especially if something can be bought
can't really blame them though
Turn off passwords over SSH and you can sleep easy.
Watched a guy run a brute force people attack for 40 hours despite having passwords off.
It's sad some of these bots aren't smart enough to give up when they get a key error.
>Not him, but you seem knowledgable
That's the first time anyone's called me that.
Meh, maybe slightly retarded, but unless you're hosting something publicly for others I wouldn't worry about it at all. After all if it's something you're using personally and you don't plan to go to China then don't worry about it.
you should also block them at the firewall level, too
Probably pointless. Just use fail2ban if your really concerned.
You are 100% safe with password logins off. Any computer with passwords on is asking to be owned. There is just no good reason to have that on.
Holy shit I just checked my auth.log and found out that some bot in China has been brute forcing my Raspberry Pi every few minutes for the past week, probably longer. Exactly the same IP every time.
yup, get a firewall solution and block them there
fail2ban
a
i
l
2
b
a
n
I used to get up to ten bots going over a list of usernames on my server before I installed knockd. Unless you're curious as to how bots work these days go and set that up.
No scanning for available NAS to delete things from? No scanning for other hosts ion general? No searching for ssn.txt?
This