There were some data lost on my server yesterday and I found this in my log file. Shockingly i found 3 ip trying to access into my server via ssh. What should i do ???
It looks like a bad attempt to hack you by brute force. Most of these attacks will not get into your system if you didn't choose an easy password (a dictionary word, for example). I would recommend you check with an expert, though. I use www.ncmanage.com and they have saved me more times that I can count. They can provide you with firewall configuration and check your server for any security holes.
Yup. I believe they broke into my system yesterday and i've sustained some data lost. No idea why it is not recorded in the log. I would like to use ncmanage.com, which package do you recommend ?
This is a trivial access to your ssh daemon using the following command: telnet your-address 22 By the way, I would suggest you to restrict your SSH access to your IP only. If you can't, shift to a VPN connection. Cheers !
er1cw, I would recommend the "New server setup" option to start with, and a managment monthly plan depending on your server. The managment monthly plan would allow you to sleep like a baby knowing somebody is watching over your server should anything happen. Ask for John, hell of a guy. He has put up with my most annoying requests and is willing to go the extra mile for a good customer. (mmm, I just answered myself a question about him )
Hello, While we dont fully support webmin servers @ NCManage.com (we typically only support cpanel and ensim based machines) we can assist you with a firewall and some hardening restrictions on your server to help with this type of things. What I would suggest is going with apf firewall with antidos along with brute force detection. Also as noted here maybe restricting ssh access to your ip (if you are on a static ip). To further this you may want to look at denying direct root ssh access maybe by key, sudo, or both. Hopefully your server has not been compromised yet. If it has the only way to recover is a reformat and a reinstall, being extremely careful with any backups as they may also be compromised. I have also sent you a PM with further details to the same effect. Regards, JohnB
Wow... Looks like you missed a bunch of stuff that you should've done when the server was first set up. Install apf, bfd, change sshd to listen on a different port, restrict root from logging in from any port, disable telnet, restrict ssh to your IP address only... This link is cPanel oriented, but there's still a bunch of good information in there: http://forums.ev1servers.net/showthread.php?t=30333
btw this probably doesnt help you much but its very common on a public server to get these brute force ssh attempts.
next time 1. instantly do - in .htaccess a deny from xxx.xxx.xxx.xxx ( put the real IP you belonging to the hackers in progress ) 2. if you know how to use iptables do the same - block any IP or - since many hackers use proxies with several IPs you may block an enitre range - at least for the moment 3. if you see what URL or server path is under attack via http then chmod 000 that entire section of your site 4. search the access_log !!!!!! use grep xxx.xxx.xxx.xxx ( using the hacker's IP ) to see the FIRST entry how did he find ur site ( may be a G search as referrer ... what SW did he search - sometime sometimes hackers KNOW a particular SW with an open back door ...) with the data found -close all doors it may take TIME days, nights, weeks early this year i had sam esituation and invested a full 2+ weeks nearly day and night in obersving my site real time / live studying the SW i have from security point of view - search security alerts find other victims and share experiences to solve the issue and secure the site after the many good advise you received from all others SSH make a server key login only! no more pw and remove / disable any password loging for all services you have installed