4

I'm running my own DigitalOcean Droplet on Ubuntu. Today, I found that my SFTP connection to said Droplet was a little laggy when doing work on it, so I checked /var/log/auth.log files to see what was happening.

I saw that for the past 7 days or so, I've had a huge number failed SSH logins from a variety of IP addresses (like once per minute). They look like dictionary attacks mostly, since there are a lot of random usernames used.

I had a basic IPTABLES configuration that blocks consecutive SSH connections beforehand, and I've augmented my security since by disallowing root logins and changing my SSH port from 22. I've also changed my login passwords to my privileged accounts.

I don't know how long I've been under this dictionary attack, and my logs don't show any suspicious successful logins. My question is, should I be concerned with potential successful login attempts by this dictionary attack? I'm worried these are bots who might've installed malware on a successful login attempt via root.

Amith KK
  • 13,412
John Doe
  • 231
  • Setting up public key authentication and then disabling password support in sshd would have provided better protection than all your other changes. Also in my experience the server doesn't lag the same way when being scanned if password support has been disabled. – kasperd Jul 22 '18 at 14:51

1 Answers1

4

Although it's unlikely that it succeeded if you had a strong root password, you could check for malware by using tools like tcptrack to see if any suspicious looking connections are being made from the server.

Barring malware that communicate with the outside world, it would be very difficult to pinpoint where exactly a potential attacker would have put said malware in, since once you have root access, you are by all means compromised and the person has total control of everything on the system. If you feel with certanity that someone has gained root access, the best course of action would be to transfer out all the data you need from the droplet and just start over, making sure better security practices are followed so that such an attack is no longer possible

Another step you can ensure to improve security would be to deny any type of password authentication and limit it to only PublicKey authentication so that such dictionary attacks are ineffective

If for any reason you have to use passwords (which is not necessary in most cases and highly not recommended), you can setup knockd to use port knocking to make sure an attacker can't figure out which port ssh is on. Note that this is just security by obscurity and you still need strong passwords/passphrases.

Amith KK
  • 13,412
  • 2
    +1 on key authentication alone – Organic Marble Jul 22 '18 at 13:59
  • @amith-kk My old password was an obscure word (which can be found in a standard English dictionary) followed by a non-consecutive 2-digit number. How secure is it? – John Doe Jul 22 '18 at 14:07
  • @terresquall Not very. You may try https://howsecureismypassword.net/ but DO NOT ENTER your actual password there but "something similar" (like another obscure word + 2 digits). IMO, the best is to use a password generator with weird characters, e.g. n#wjkWM28:3)yYs> (taken from https://passwordsgenerator.net/). However, I would not rely on passwords generated by a website but use password generators that are locally installed (like Keepass, for example). – PerlDuck Jul 22 '18 at 14:44
  • @terresquall Definitely not very secure. Estimates vary, but IIRC English has around 100,000 words. Adding two digits adds a factor of 100, and the choice of whether to put them before or after the word adds another factor 2. So you're looking at some 20 million possible combinations based on your description alone, for somewhere on the order of 24 bits' worth of security. (2^24 ~ 16.8M) As for PerlDuck's suggestion of using something to estimate the security of a password you should take any such results with a large pinch of salt; password entropy is about the process, not about the outcome. – user Jul 22 '18 at 15:50