By coincidence I looked at my servers ssh log (/var/log/auth.log) and I noticed that someone is constantly trying to gain access:
Sep 7 13:03:45 virt01 sshd[14674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.42 user=root
Sep 7 13:03:48 virt01 sshd[14674]: Failed password for root from 116.31.116.42 port 13423 ssh2
Sep 7 13:03:52 virt01 sshd[14674]: message repeated 2 times: [ Failed password for root from 116.31.116.42 port 13423 ssh2]
Sep 7 13:03:52 virt01 sshd[14674]: Received disconnect from 116.31.116.42: 11: [preauth]
This happens a few times every minute, and has been going on for a long time without me knowing about it.
Question Should I be concerned about this, if yes: What should I do about it?
Unfortuntately, this is absolutely normal and something every SSH server experiences. Welcome to the internet.
As long as you properly secure your server (e.g. keep it updated, allow only key-based login, disable root SSH access), this shouldn't be a problem, but you can limit this even further with something like
fail2ban
and other approaches like IP whitelisting, changing ports and stuff like that where possible and appropriate.Disable root logins. Add this to
/etc/ssh/sshd_config
Just let them hammer away at root all they want. They'll never get in that way then.
In addition to securing server as Sven points out, one of the best things to do (especially if ssh is therej ust for you, the admin) is just change sshd port away from default
22
.Not only is it simple (especially when you put new port in your
~/.ssh/config
so you don't have to type it everytime) and it will stop 99% of those automated scans so you won't even see them, but it will also help somewhat even if some 0-day ssh vulnerability is discovered to give you more time, or you key is leaked etc.This pretty normal behavior. I get several thousand of those each day, and I assume even that is minuscule compared to what large companies face.
But do you need to worry?
fail2ban
?If yes, then you don't need to worry. Those attacks are usually dictionary based attacks on common unix user names. For example, I frequently see those "users" try to login:
I really recommend installing
fail2ban
, as it will rate-limit any user trying to log in based on their ip, that alone should filter out most of the malicious traffic. Contrary to what others say, I am not a proponent of ip based blocking. That seems like a very coarse solution to a very fine problem. Also, those attackers usually control multiple ips, so even if you block several (or even several ip blocks), there is no guarantee you'll block them all. Fail2ban however is very flexible for those scenarios.