Hi I'm kinda new in "having own server". My server got recently turned off. Everything is working by now but when opened logs I was shocked. I don't exactly know what's in there but it looks like some kind of DDOS attack. Some attempting users have even username bot,bot2... My ufw log is "spammed" too. Ufw was blocking IP addresses. I don't recognize any IP address in log.
Here is small piece of log:
Apr 6 20:39:20 Hl-Server sshd[5107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.86.23.82
Apr 6 20:39:21 Hl-Server sshd[5107]: Failed password for invalid user applmgr from 110.86.23.82 port 1121 ssh2
Apr 6 20:39:22 Hl-Server sshd[5107]: Received disconnect from 110.86.23.82 port 1121:11: Normal Shutdown, Thank you for playing [preauth]
Apr 6 20:39:22 Hl-Server sshd[5107]: Disconnected from 110.86.23.82 port 1121 [preauth]
Apr 6 20:45:01 Hl-Server CRON[5110]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 6 20:45:01 Hl-Server CRON[5110]: pam_unix(cron:session): session closed for user root
Apr 6 20:46:05 Hl-Server sshd[5113]: Invalid user wp-user from 221.229.166.102
Thank's for help.
Things to consider when "having your own server" to lower the change of a server breach via SSH:
1. Create a "normal" user if you only login with root via SSH
adduser demo
then add sudo privilegies to the the newly added user
visudo
append
demo ALL=(ALL:ALL) ALL
after
# User privilege specification
root ALL=(ALL:ALL) ALL
2. Change SSH port
nano /etc/ssh/sshd_config
change
Port 22
to something higher, like
Port 25000
3. Don't allow root login
in the same config file, change
PermitRootLogin yes to
PermitRootLogin no
4. reload SSH
reload ssh
5. Other things to consider
References:
Digitalocean initial server setup
Digitalocean how to configure ssh key based authentication
Digitalocean how to protect ssh with fail2ban