Is someone trying to "hack" me?
I just logged into my server and got this messsage
Last failed login: Thu Apr 25 15:28:21 UTC 2019 from static-bband-27.87-197-168.telecom.sk on ssh:notty
There were 20 failed login attempts since the last successful login.
Last login: Thu Apr 25 13:39:09 2019
What is the meaning of this and should I be worried?
Footnote: I tried earlier today maybe around 11am to add a free temporary domain to my server from this site http://www.dot.tk/en/index.html?lang=en
It wasn't successful and I stopped my attempt quickly as I was at work.
Probably, but not you personally I don't think…
People "out there" run scripts to scan the IP address space and try to log in using some "well known" user names - root, admin, PHPAdmin, mysql, wordpress, etc.
Or not "people" - rather, bots. People's machines get infected with malware, and this malware can also perform ssh scans.
One thing I would recommend is installing fail2ban - to automatically block (temporarily) those attempts as they happen.
Another, for piece of mind, is to completely disable password-based authentication in
sshd and switch completely to ssh key based authentication.
You wouldn't see that message for creating a DNS record, as that wouldn't be done from inside the Linode itself. DNS records are to point domains to a server.
If you haven't attempt to access your Linode directly, and if there's no one else that should have access to your Linode, then yes: an unauthorized person is trying to access your Linode.
This is more common than you may be aware of. I'd recommend both checking your Linode for evidence of possible access and securing your Linode to strengthen it against any future attacks.
To review the who was trying to access your Linode, you can review these logs & directories:
- /var/log/auth.log: Check this log file for signs of unauthorized access and brute-force attempts. Use the
lastcommand to cross reference recent account logins with this file.
- /tmp: This directory is often used by malicious parties to store files
- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
- ps aux: Use this command to audit running processes for foreign processes.
These guides will assist you in hardening access to your Linode, making it harder to penetrate during future hacking attempts:
- Secure Your Server: This guide will walk you through some fairly basic steps that you can take to make your Linode more secure.
- Fail2Ban: This is included in the Securing Your Server Guide, but for good measure, I wanted to share our more extensive guide on this tool.
If you haven't done so yet, I would recommend you set up a firewall:
- UFW (Uncomplicated FireWall): This is service that makes it easier to configure iptables, making is more straightforward to configure and enable.
- iptables : This guide will give you what you need to really dig in and set up a firewall if you have more complicated configurations than UFW is able to provide.
Thanks for the answers guys. There is a lot to learn in this domain. I am usually more involved with code.
I will definitely check out the material and try to apply it.
However, I think it has some connection to that domain site. It was the only time I made my IP public to someone and 2 hours later I face an attack. Plus this server was only up for 2 days.
A few months ago, I set up a new VPS (another provider, not Linode.) From getting the confirmation email that it was online, and logging in for the first time (about 20 mins later) there had been 150+ failed logins.
The IPv4 space is small enough that it’s not out of realms for large bot nets to quickly scan for open SSH servers (on port 22) and try to brute force a login.
Bottom line: configure a firewall (best option) and limit SSH to your ISPs address - you can easily update this via Lish when it changes. My home IP changes every 4 weeks or so. Also look into using SSH keys and disable password authentication in SSH.
configure a firewall (best option) and limit SSH to your ISPs address
I second that! It is the most secure way to ensure that nobody outside your home/office network can login via SSH. I would also add port 587 to that list if you're running a mail server :-)
LISH isn't your only option when your IP changes, though. I use a script on my custom, password protected backend served up by my web server on a hard-to-guess subdomain I set up outside of DNS (using hosts file on my own computers) and a self-signed certificate.