The fucking chinese want to break into my server

botnet

Well you shouldn't have talked shit about them.

I'm starting to consider moving ports because it makes so much fucking log noise.

Learn to use grep?

I have an entire fucking bash/sed script dedicated to cleaning up sshd logs but it makes a dedicated attacker indistinguishable from ssh knocking botnets that just hit every 22. Also another one that counts the amount of hits per username.

Block all chinese, russian, indian, pakistan IP ranges.
Use port knocking

A dedicated attacker IS indistinguishable from casual attackers.

I think you have a poor understanding of just how unbreakable keys are.

Can someone explain this thread in a sentence I don't understand what's going on but I hate chinese people so im curious

Casual attackers rarely knock ports besides default ports. I know how public key cryptography works, it's just an annoyance to think some attempts could not be bots/skids.

How do you know its the Chinese attempting to "hack"?

Chinese people have liberal (shitty) laws so the world gets annoyed by pesky fuckers trying to break into servers.

Tbqh I bet google has spent like 4 months just developing a script to be safe from them.

IP Range

It does not matter who is trying to break in, what matters is this:

use pubkey auth or fail2ban
can't you just call in DoS attacks on the offending IP ranges or use zipbombs?
blog.haschek.at/post/f2fda
If you have a VPN you can do this:
nc -u < /dev/zero
Make sure compression is enabled and that your VPN isn't speed limited.

Chinese IP range doesnt necessarily mean the hack attempts are coming from China.
Just sayin.

Additionally, I nmapped the server and literally no Port is open, so I guess it is some dedicated machine sitting in someones basement

>mfw I scan huge IP ranges at a time for all kinds of things
>I've probably ended up in someone's logs that posts here
you'd be surprised just how many bakas leave their machines poorly secured or not secured at all
Or maybe you wouldn't?
meh
also IOT is cancer

It's probably a hacked server

chinese take from their family

you think they wont take from the rich western they never have to meet?

they dont have laws to protect you from stuff like this.
its not enforced.

Yeah, could very well be either

Well shit, now I'll never unsee this you bastard

>looking up ip range of China so I can block it
>first result is stack overflow question asking for the ip range
>"best answer" is "you shouldn't range ban China because they aren't all spambots."
Fuck stack overflow.

banning all of china and the middle east is considered controvercial only by non technical people

you have to put the motion aside to understand they produce most of the phones and their government owns all source to every project

their gov also spies on citizens which isnt illegal because they dont have civil laws to protect the people

configure pam to block after 3 failed login attempts
problem solved

what are you 12?

Well, pn what should you rangeban china?
You want people visiting your services out of china because it is a new market, but you do not want them in your ssh logs and trying to break into your server

You can block them from p22 but not p80, or configure your fucking ssh server properly

im talking about even doing this on your home router

I'm pretty sure DoSing someone is still illegal even if they attacked your server first. Clearly we need a law for server self defence.

>violating the NAP

>implying there are international laws that apply to the chinese or russians

>his country has functioning police
I don't even think it's illegal here, UDP floods might but sending zipbombs aren't.

How the fuck would you send a zipbomb to a closed machine trying to ssh into you

SSH supports gzip compression. Just send nulls and hope they decompress into memory. Or you can use a VPN with compression enabled and send NULL to a UDP port on the server if they don't limit your speed
>get chink ip list
>run modified dropbear that accepts all auth attempts and just sends null characters until connection is closed
>listen it on port x (not 22)
>use iptables to forward all chinese connections for p22 to this port instead of p22

>start torrent
>stop torrent
>internet slows to a crawl
>router CPU at 80% due to iptables having to drop a shitload of intrusion attempts

this shit
Running masscan 24/7 just to find unsecured routers and IP cameras

run in it on a different port you retarded subhuman

It already is on a port greater than 10k nigger

I still have my iptables configuration saved that rangebans whole China.

>he voluntarily introduced a security risk for the sake of blocking harmless scanners
(rofl)(thumbsup)

The offending machines belong to innocent retards who got botnetted you faggot.

You either crash the scanner (good) or the machine (also good)

Here's what I do:
>pubkey auth only
>nonstandard port (not 22)
>config file in ~/.ssh so I don't have to remember what port it is (or the user account, or the full domain)
>fail2ban
Works like a charm.

>what is a botnet

>not setting up an elaborate reverse proxy system

>Unless you have random users in china that needs to connect to SSH... in which case, why?
The way we do tech support is that we let the users SSH into the server and create a text file with info about the issue they are having. Some people are overstepping their bounds though.

>sticking ssh on a high port
>security risk
Nigger what?

>way we do tech support is that we let users SSH into the server and create text file info about the issue
WAT

I mean "create a text file with information about the issue they are having."

have you heard about email?

Oh... Well... Now we have this system in place and it's what the customers expect.

Besides ssh, should I be worried about http or even mysql ports?

I'm "WAT'ing" about the way you do support. WTF is this system. Why anyone even thought this is a good idea...

...

Then you should have a separate container they ssh into for that which only supports creating text files, and a separate sshd for actual administration.

...

Ports over 1024 are non-privileged ports, meaning any user can start processes to listen on them.
Processes listening on ports below 1024 require root to do so.

What that means is that every time sshd isn't listening on its designated port over 1024, for example during a reboot if its startup time is misconfigured or during a regular system upgrade when sshd is restarted, a malicious user/application pretending to be sshd can start listening on said port.
The malicious application may function just like the regular sshd, but log everything you do, revealing passwords, keyfiles etc.

The best security practice would be simply leaving sshd on its default (or any privileged) port and using port knocking which can be done on any port, even above 1024.

Get email
Fix your shit

>The way we do tech support is that we let the users SSH into the server and create a text file

pls b b8

like trading a message in a bottle with your asshole

Wouldn't that mess up the customer's root access?

Everyone thought it was a great idea at the time.

>Wouldn't that mess up the customer's root access?

...

> customer's root access
No.

It would be a thousand times easier to have a website with a form that when a customer submits, it creates the text file for you.

> I actually have some users there I need, so rangeban is not an option
iptables -I PREROUTING -s -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
Those who match allowed IP will be handled by ACCEPT directives, others get DROP.

> Google "freeshell" :>

>reelect Trump campaign.

How do you format text on Sup Forums to make it look like computer code?

you need a Sup Forums gold account

can someone provie ip ranges of russia, china and other shitholes I dont want to connect to my server?

geoip is what you're looking for

thanks for this thread reminding me to rangeban all shithole countries from my server

There should be an phone app that gives your server your replication so it can update ssh whitelists to your geolocation.

Just change your port from the default

How do I deactivate normal login and only use keys?

>geoip is what you're looking for
thx user

>thanks for this thread reminding me to rangeban all shithole countries from my server
will rangeban too

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
AllowUsers username

Paste desired pubkeys into ~/.ssh/authorized_keys of the specific user.

...

[ code ] code [ /code ]

Disable password login, use a long RSA key.

Then they stand no chance.

You don't need to bother about their failed attempts then.

How did you get it to immediately terminate them?

My system still gives them the password prompt. It will never accept a password because I set
PasswordAuthentication no
though.

Well, at least they'll realize that something is wrong then.

You're not serious, right?

Like this?
ssh [email protected]
echo 'china nuke OP ver big' > /etc/bash.bashrc

Read the stickie guy

Ty user.

what the fuck

what the fuck
who thought this was a good idea? have they never heard of email?

1. Change the default port to something over 1000
2. Enable public-key authentication only
3. Install fail2ban (optional)

wow, so hard

>who thought this was a good idea? have they never heard of email?
Yeah, we heard of email. It just sounded a bit unsafe from a security perspective.

Set up a mailing list genius