There were some data lost on my server yesterday and I found this in my log file. Shockingly i found 3 ip trying to access into my server via ssh.

Oct 22 02:54:28 89 webmin[27329]: Logout by username from my.ip
Oct 22 02:54:35 89 webmin[27332]: Successful login as username from my.ip
Oct 22 05:12:21 89 sshd[26100]: Received signal 15; terminating.
Oct 22 11:15:29 89 sshd[2059]: Server listening on :: port 22.
Oct 22 11:15:29 89 sshd[2059]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Oct 22 11:15:34 89 webmin[2197]: Webmin starting
Oct 22 11:20:02 89 webmin[2621]: Logout by username from my.ip
Oct 22 12:30:09 89 webmin[2816]: Successful login as username from my.ip
Oct 22 18:58:17 89 webmin[3195]: Successful login as username from my.ip
Oct 24 12:23:38 89 sshd[4612]: Did not receive identification string from ::ffff:60.248.81.124
Oct 24 14:12:47 89 sshd[4634]: Invalid user staff from ::ffff:60.248.81.124
Oct 24 14:12:50 89 sshd[4634]: Failed password for invalid user staff from ::ffff:60.248.81.124 port 35235 ssh2
Oct 24 14:12:54 89 sshd[4636]: Invalid user sales from ::ffff:60.248.81.124
Oct 24 14:12:57 89 sshd[4636]: Failed password for invalid user sales from ::ffff:60.248.81.124 port 35385 ssh2
Oct 24 14:13:00 89 sshd[4638]: Invalid user recruit from ::ffff:60.248.81.124
Oct 24 14:13:02 89 sshd[4638]: Failed password for invalid user recruit from ::ffff:60.248.81.124 port 35536 ssh2
Oct 24 14:13:05 89 sshd[4640]: Invalid user alias from ::ffff:60.248.81.124
Oct 24 14:13:08 89 sshd[4640]: Failed password for invalid user alias from ::ffff:60.248.81.124 port 35680 ssh2
Oct 24 14:13:11 89 sshd[4642]: Invalid user office from ::ffff:60.248.81.124
Oct 24 14:13:14 89 sshd[4642]: Failed password for invalid user office from ::ffff:60.248.81.124 port 35831 ssh2
Oct 24 14:13:18 89 sshd[4644]: Invalid user samba from ::ffff:60.248.81.124
Oct 24 14:13:20 89 sshd[4644]: Failed password for invalid user samba from ::ffff:60.248.81.124 port 35989 ssh2
Oct 24 14:13:24 89 sshd[4646]: Invalid user tomcat from ::ffff:60.248.81.124
Oct 24 14:13:27 89 sshd[4646]: Failed password for invalid user tomcat from ::ffff:60.248.81.124 port 36131 ssh2
Oct 24 14:13:30 89 sshd[4648]: Invalid user webadmin from ::ffff:60.248.81.124
Oct 24 14:13:32 89 sshd[4648]: Failed password for invalid user webadmin from ::ffff:60.248.81.124 port 36273 ssh2
Oct 24 14:13:37 89 sshd[4650]: Invalid user spam from ::ffff:60.248.81.124
Oct 24 14:13:39 89 sshd[4650]: Failed password for invalid user spam from ::ffff:60.248.81.124 port 36426 ssh2
Oct 24 14:13:43 89 sshd[4652]: Invalid user virus from ::ffff:60.248.81.124
Oct 24 14:13:46 89 sshd[4652]: Failed password for invalid user virus from ::ffff:60.248.81.124 port 36564 ssh2
Oct 24 14:13:49 89 sshd[4654]: Invalid user cyrus from ::ffff:60.248.81.124
Oct 24 14:13:52 89 sshd[4654]: Failed password for invalid user cyrus from ::ffff:60.248.81.124 port 36718 ssh2
Oct 24 14:13:56 89 sshd[4656]: Invalid user oracle from ::ffff:60.248.81.124
Oct 24 14:13:58 89 sshd[4656]: Failed password for invalid user oracle from ::ffff:60.248.81.124 port 36875 ssh2
Oct 24 14:14:03 89 sshd[4658]: Invalid user michael from ::ffff:60.248.81.124
Oct 24 14:14:05 89 sshd[4658]: Failed password for invalid user michael from ::ffff:60.248.81.124 port 37022 ssh2
Oct 24 14:14:13 89 sshd[4660]: Failed password for ftp from ::ffff:60.248.81.124 port 37165 ssh2
Oct 24 14:14:16 89 sshd[4662]: Invalid user test from ::ffff:60.248.81.124
Oct 24 14:14:18 89 sshd[4662]: Failed password for invalid user test from ::ffff:60.248.81.124 port 37303 ssh2
Oct 24 14:14:22 89 sshd[4664]: Invalid user webmaster from ::ffff:60.248.81.124
Oct 24 14:14:25 89 sshd[4664]: Failed password for invalid user webmaster from ::ffff:60.248.81.124 port 37472 ssh2
Oct 24 14:14:28 89 sshd[4666]: Invalid user postmaster from ::ffff:60.248.81.124
Oct 24 14:14:30 89 sshd[4666]: Failed password for invalid user postmaster from ::ffff:60.248.81.124 port 37624 ssh2
Oct 24 14:14:33 89 sshd[4668]: Invalid user postfix from ::ffff:60.248.81.124
Oct 24 14:14:36 89 sshd[4668]: Failed password for invalid user postfix from ::ffff:60.248.81.124 port 37783 ssh2
Oct 24 14:14:39 89 sshd[4670]: Invalid user postgres from ::ffff:60.248.81.124
Oct 24 14:14:41 89 sshd[4670]: Failed password for invalid user postgres from ::ffff:60.248.81.124 port 37945 ssh2
Oct 24 14:14:46 89 sshd[4672]: Invalid user paul from ::ffff:60.248.81.124
Oct 24 14:14:49 89 sshd[4672]: Failed password for invalid user paul from ::ffff:60.248.81.124 port 38088 ssh2
Oct 24 14:14:54 89 sshd[4674]: Failed password for root from ::ffff:60.248.81.124 port 38232 ssh2
Oct 24 14:14:58 89 sshd[4676]: Invalid user guest from ::ffff:60.248.81.124
Oct 24 14:15:01 89 sshd[4676]: Failed password for invalid user guest from ::ffff:60.248.81.124 port 38391 ssh2
Oct 24 14:15:05 89 sshd[4678]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:15:07 89 sshd[4678]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 38548 ssh2
Oct 24 14:15:12 89 sshd[4680]: Invalid user linux from ::ffff:60.248.81.124
Oct 24 14:15:14 89 sshd[4680]: Failed password for invalid user linux from ::ffff:60.248.81.124 port 38697 ssh2
Oct 24 14:15:19 89 sshd[4682]: Invalid user user from ::ffff:60.248.81.124
Oct 24 14:15:21 89 sshd[4682]: Failed password for invalid user user from ::ffff:60.248.81.124 port 38821 ssh2
Oct 24 14:15:24 89 sshd[4684]: Invalid user david from ::ffff:60.248.81.124
Oct 24 14:15:26 89 sshd[4684]: Failed password for invalid user david from ::ffff:60.248.81.124 port 38979 ssh2
Oct 24 14:15:29 89 sshd[4686]: Invalid user web from ::ffff:60.248.81.124
Oct 24 14:15:32 89 sshd[4686]: Failed password for invalid user web from ::ffff:60.248.81.124 port 39150 ssh2
Oct 24 14:15:38 89 sshd[4690]: Failed password for apache from ::ffff:60.248.81.124 port 39309 ssh2
Oct 24 14:15:42 89 sshd[4692]: Invalid user pgsql from ::ffff:60.248.81.124
Oct 24 14:15:45 89 sshd[4692]: Failed password for invalid user pgsql from ::ffff:60.248.81.124 port 39459 ssh2
Oct 24 14:15:51 89 sshd[4694]: Failed password for mysql from ::ffff:60.248.81.124 port 39608 ssh2
Oct 24 14:15:55 89 sshd[4696]: Invalid user info from ::ffff:60.248.81.124
Oct 24 14:15:57 89 sshd[4696]: Failed password for invalid user info from ::ffff:60.248.81.124 port 39747 ssh2
Oct 24 14:16:02 89 sshd[4698]: Invalid user tony from ::ffff:60.248.81.124
Oct 24 14:16:04 89 sshd[4698]: Failed password for invalid user tony from ::ffff:60.248.81.124 port 48623 ssh2
Oct 24 14:16:07 89 sshd[4700]: Invalid user core from ::ffff:60.248.81.124
Oct 24 14:16:10 89 sshd[4700]: Failed password for invalid user core from ::ffff:60.248.81.124 port 48772 ssh2
Oct 24 14:16:14 89 sshd[4702]: Invalid user newsletter from ::ffff:60.248.81.124
Oct 24 14:16:16 89 sshd[4702]: Failed password for invalid user newsletter from ::ffff:60.248.81.124 port 48909 ssh2
Oct 24 14:16:23 89 sshd[4704]: Failed password for named from ::ffff:60.248.81.124 port 49063 ssh2
Oct 24 14:16:28 89 sshd[4706]: Invalid user visitor from ::ffff:60.248.81.124
Oct 24 14:16:30 89 sshd[4706]: Failed password for invalid user visitor from ::ffff:60.248.81.124 port 49200 ssh2
Oct 24 14:16:33 89 sshd[4708]: Invalid user ftpuser from ::ffff:60.248.81.124
Oct 24 14:16:36 89 sshd[4708]: Failed password for invalid user ftpuser from ::ffff:60.248.81.124 port 49346 ssh2
Oct 24 14:16:40 89 sshd[4710]: Invalid user username from ::ffff:60.248.81.124
Oct 24 14:16:43 89 sshd[4710]: Failed password for invalid user username from ::ffff:60.248.81.124 port 49491 ssh2
Oct 24 14:16:48 89 sshd[4712]: Invalid user administrator from ::ffff:60.248.81.124
Oct 24 14:16:50 89 sshd[4712]: Failed password for invalid user administrator from ::ffff:60.248.81.124 port 49622 ssh2
Oct 24 14:16:55 89 sshd[4714]: Invalid user library from ::ffff:60.248.81.124
Oct 24 14:16:58 89 sshd[4714]: Failed password for invalid user library from ::ffff:60.248.81.124 port 49758 ssh2
Oct 24 14:17:01 89 sshd[4716]: Invalid user test from ::ffff:60.248.81.124
Oct 24 14:17:04 89 sshd[4716]: Failed password for invalid user test from ::ffff:60.248.81.124 port 49891 ssh2
Oct 24 14:17:10 89 sshd[4718]: Failed password for root from ::ffff:60.248.81.124 port 50036 ssh2
Oct 24 14:17:17 89 sshd[4720]: Failed password for root from ::ffff:60.248.81.124 port 50174 ssh2
Oct 24 14:17:21 89 sshd[4722]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:17:23 89 sshd[4722]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 50296 ssh2
Oct 24 14:17:28 89 sshd[4724]: Invalid user guest from ::ffff:60.248.81.124
Oct 24 14:17:30 89 sshd[4724]: Failed password for invalid user guest from ::ffff:60.248.81.124 port 50437 ssh2
Oct 24 14:17:33 89 sshd[4726]: Invalid user master from ::ffff:60.248.81.124
Oct 24 14:17:36 89 sshd[4726]: Failed password for invalid user master from ::ffff:60.248.81.124 port 50592 ssh2
Oct 24 14:17:42 89 sshd[4728]: Failed password for root from ::ffff:60.248.81.124 port 50734 ssh2
Oct 24 14:17:48 89 sshd[4730]: Failed password for root from ::ffff:60.248.81.124 port 50877 ssh2
Oct 24 14:17:53 89 sshd[4732]: Failed password for root from ::ffff:60.248.81.124 port 51025 ssh2
Oct 24 14:17:59 89 sshd[4734]: Failed password for root from ::ffff:60.248.81.124 port 51177 ssh2
Oct 24 14:18:04 89 sshd[4736]: Failed password for root from ::ffff:60.248.81.124 port 51321 ssh2
Oct 24 14:18:08 89 sshd[4738]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:18:11 89 sshd[4738]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 51463 ssh2
Oct 24 14:18:15 89 sshd[4740]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:18:18 89 sshd[4740]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 51592 ssh2
Oct 24 14:18:21 89 sshd[4742]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:18:24 89 sshd[4742]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 51730 ssh2
Oct 24 14:18:29 89 sshd[4744]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:18:31 89 sshd[4744]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 51865 ssh2
Oct 24 14:18:39 89 sshd[4746]: Failed password for root from ::ffff:60.248.81.124 port 51986 ssh2
Oct 24 14:18:44 89 sshd[4748]: Failed password for root from ::ffff:60.248.81.124 port 52131 ssh2
Oct 24 14:18:48 89 sshd[4750]: Invalid user test from ::ffff:60.248.81.124
Oct 24 14:18:50 89 sshd[4750]: Failed password for invalid user test from ::ffff:60.248.81.124 port 52276 ssh2
Oct 24 14:18:55 89 sshd[4752]: Invalid user test from ::ffff:60.248.81.124
Oct 24 14:18:58 89 sshd[4752]: Failed password for invalid user test from ::ffff:60.248.81.124 port 52409 ssh2
Oct 24 14:19:01 89 sshd[4754]: Invalid user webmaster from ::ffff:60.248.81.124
Oct 24 14:19:03 89 sshd[4754]: Failed password for invalid user webmaster from ::ffff:60.248.81.124 port 52546 ssh2
Oct 24 14:19:07 89 sshd[4756]: Invalid user username from ::ffff:60.248.81.124
Oct 24 14:19:09 89 sshd[4756]: Failed password for invalid user username from ::ffff:60.248.81.124 port 52693 ssh2
Oct 24 14:19:13 89 sshd[4758]: Invalid user user from ::ffff:60.248.81.124
Oct 24 14:19:16 89 sshd[4758]: Failed password for invalid user user from ::ffff:60.248.81.124 port 52837 ssh2
Oct 24 14:19:22 89 sshd[4760]: Failed password for root from ::ffff:60.248.81.124 port 52978 ssh2
Oct 24 14:19:25 89 sshd[4762]: Invalid user admin from ::ffff:60.248.81.124
Oct 24 14:19:28 89 sshd[4762]: Failed password for invalid user admin from ::ffff:60.248.81.124 port 53141 ssh2
Oct 24 14:19:31 89 sshd[4764]: Invalid user test from ::ffff:60.248.81.124
Oct 24 14:19:34 89 sshd[4764]: Failed password for invalid user test from ::ffff:60.248.81.124 port 53308 ssh2
Oct 24 14:19:39 89 sshd[4766]: Failed password for root from ::ffff:60.248.81.124 port 53467 ssh2
Oct 24 14:19:45 89 sshd[4768]: Failed password for root from ::ffff:60.248.81.124 port 53633 ssh2
Oct 24 14:19:52 89 sshd[4770]: Failed password for root from ::ffff:60.248.81.124 port 53768 ssh2
Oct 24 14:19:56 89 sshd[4772]: Invalid user danny from ::ffff:60.248.81.124
Oct 24 14:19:58 89 sshd[4772]: Failed password for invalid user danny from ::ffff:60.248.81.124 port 53897 ssh2
Oct 24 14:20:02 89 sshd[4774]: Invalid user alex from ::ffff:60.248.81.124
Oct 24 14:20:05 89 sshd[4774]: Failed password for invalid user alex from ::ffff:60.248.81.124 port 54895 ssh2
Oct 24 14:20:08 89 sshd[4776]: Invalid user brett from ::ffff:60.248.81.124
Oct 24 14:20:16 89 sshd[4776]: Failed password for invalid user brett from ::ffff:60.248.81.124 port 55433 ssh2
Oct 24 20:11:46 89 sshd[4929]: Did not receive identification string from ::ffff:217.195.205.226
Oct 24 23:54:56 89 webmin[5291]: Successful login as username from my.ip
Oct 25 06:49:07 89 sshd[5895]: Invalid user test from ::ffff:220.231.39.84
Oct 25 06:49:10 89 sshd[5895]: Failed password for invalid user test from ::ffff:220.231.39.84 port 47265 ssh2
Oct 25 06:49:12 89 sshd[5897]: Invalid user guest from ::ffff:220.231.39.84
Oct 25 06:49:15 89 sshd[5897]: Failed password for invalid user guest from ::ffff:220.231.39.84 port 47415 ssh2
Oct 25 06:49:18 89 sshd[5899]: Invalid user admin from ::ffff:220.231.39.84
Oct 25 06:49:20 89 sshd[5899]: Failed password for invalid user admin from ::ffff:220.231.39.84 port 47568 ssh2
Oct 25 06:49:23 89 sshd[5901]: Invalid user admin from ::ffff:220.231.39.84
Oct 25 06:49:25 89 sshd[5901]: Failed password for invalid user admin from ::ffff:220.231.39.84 port 47721 ssh2
Oct 25 06:49:28 89 sshd[5903]: Invalid user user from ::ffff:220.231.39.84
Oct 25 06:49:31 89 sshd[5903]: Failed password for invalid user user from ::ffff:220.231.39.84 port 47880 ssh2
Oct 25 06:49:36 89 sshd[5905]: Failed password for root from ::ffff:220.231.39.84 port 48003 ssh2
Oct 25 06:49:41 89 sshd[5907]: Failed password for root from ::ffff:220.231.39.84 port 48187 ssh2
Oct 25 06:49:46 89 sshd[5909]: Failed password for root from ::ffff:220.231.39.84 port 48448 ssh2
Oct 25 06:49:49 89 sshd[5911]: Invalid user test from ::ffff:220.231.39.84
Oct 25 06:49:52 89 sshd[5911]: Failed password for invalid user test from ::ffff:220.231.39.84 port 48568 ssh2

What should i do ???

block that IP or the range of IPs as first measure

It looks like a bad attempt to hack you by brute force. Most of these attacks will not get into your system if you didn't choose an easy password (a dictionary word, for example).

I would recommend you check with an expert, though. I use www.ncmanage.com and they have saved me more times that I can count. They can provide you with firewall configuration and check your server for any security holes.

Yup. I believe they broke into my system yesterday and i've sustained some data lost. No idea why it is not recorded in the log.

I would like to use ncmanage.com, which package do you recommend ?

this one look suspicious

Oct 24 20:11:46 89 sshd[4929]: Did not receive identification string from ::ffff:217.195.205.226


What happen there ?

this one look suspicious

Oct 24 20:11:46 89 sshd[4929]: Did not receive identification string from ::ffff:217.195.205.226

What happen there ?

This is a trivial access to your ssh daemon using the following command:

telnet your-address 22

By the way, I would suggest you to restrict your SSH access to your IP only. If you can't, shift to a VPN connection.

Cheers !

er1cw, I would recommend the "New server setup" option to start with, and a managment monthly plan depending on your server.

The managment monthly plan would allow you to sleep like a baby knowing somebody is watching over your server should anything happen.

Ask for John, hell of a guy. He has put up with my most annoying requests and is willing to go the extra mile for a good customer. (mmm, I just answered myself a question about him :p )

only accept from your ip OR

simply change the port from 22 to a odd port

Hello,

While we dont fully support webmin servers @ NCManage.com (we typically only support cpanel and ensim based machines) we can assist you with a firewall and some hardening restrictions on your server to help with this type of things. What I would suggest is going with apf firewall with antidos along with brute force detection. Also as noted here maybe restricting ssh access to your ip (if you are on a static ip). To further this you may want to look at denying direct root ssh access maybe by key, sudo, or both.

Hopefully your server has not been compromised yet. If it has the only way to recover is a reformat and a reinstall, being extremely careful with any backups as they may also be compromised.

I have also sent you a PM with further details to the same effect.

Regards,
JohnB

Wow... Looks like you missed a bunch of stuff that you should've done when the server was first set up. Install apf, bfd, change sshd to listen on a different port, restrict root from logging in from any port, disable telnet, restrict ssh to your IP address only...

This link is cPanel oriented, but there's still a bunch of good information in there: http://forums.ev1servers.net/showthread.php?t=30333

btw this probably doesnt help you much but its very common on a public server to get these brute force ssh attempts.

Yeah change ssh port and your good!

next time

1.
instantly do
- in .htaccess a
deny from xxx.xxx.xxx.xxx

( put the real IP you belonging to the hackers in progress )

2.
if you know how to use iptables
do the same - block any IP or - since many hackers use proxies with several IPs you may block an enitre range - at least for the moment

3. if you see what URL or server path is under attack via http
then
chmod 000 that entire section of your site

4.
search the access_log !!!!!!
use
grep xxx.xxx.xxx.xxx ( using the hacker's IP )
to see the FIRST entry
how did he find ur site ( may be a G search as referrer ... what SW did he search - sometime sometimes hackers KNOW a particular SW with an open back door ...)

with the data found -close all doors
it may take TIME
days, nights, weeks
early this year i had sam esituation and invested a full 2+ weeks nearly day and night in
obersving my site real time / live
studying the SW i have from security point of view
- search security alerts
find other victims and share experiences to solve the issue and secure the site


after the many good advise you received from all others

SSH

make a server key login only! no more pw

and remove / disable any password loging for all services you have installed