You know, I honestly have no idea why I decided to do this today, but I was poking around my Digital Ocean account and found something interesting. I hopped on my droplet and for whatever reason decided to see if anyone other than myself was trying to use it. I was shocked to see how many attempts there were. Here’s but a brief section from /var/log/secure:
Apr 12 03:36:02 digital sshd[3413]: Failed password for root from 43.255.190.161 port 52502 ssh2
Apr 12 03:36:02 digital sshd[3405]: Failed password for root from 43.255.190.138 port 41553 ssh2
Apr 12 03:36:02 digital sshd[3408]: Failed password for root from 43.255.190.189 port 52791 ssh2
Apr 12 03:36:02 digital sshd[3407]: Failed password for root from 43.255.190.144 port 40002 ssh2
Apr 12 03:36:02 digital sshd[3399]: Failed password for root from 43.255.190.148 port 46841 ssh2
Apr 12 03:36:39 digital sshd[3516]: Failed password for root from 218.87.111.116 port 52604 ssh2
Apr 12 03:36:43 digital sshd[3528]: Failed password for root from 43.255.190.148 port 52134 ssh2
Apr 12 03:36:43 digital sshd[3537]: Failed password for root from 43.255.190.144 port 53079 ssh2
Apr 12 03:36:43 digital sshd[3536]: Failed password for root from 43.255.190.189 port 38574 ssh2
Apr 12 03:36:43 digital sshd[3530]: Failed password for root from 43.255.190.138 port 52756 ssh2
Apr 12 03:36:43 digital sshd[3542]: Failed password for root from 43.255.190.161 port 36072 ssh2
Apr 12 03:36:44 digital sshd[3533]: Failed password for root from 43.255.190.183 port 37622 ssh2
Apr 12 03:36:44 digital sshd[3532]: Failed password for root from 43.255.190.122 port 52998 ssh2
Apr 12 03:36:44 digital sshd[3540]: Failed password for root from 43.255.190.149 port 51716 ssh2
It would appear that someone in Hong Kong is determined to access my droplet. The 218.87 source IP seems to originate from China.
So what’d I do? I said, “To hell wit ’em!” and installed fail2ban. 🙂 Fail2ban scans your log files and automatically bans IPs with repeated failed attempts by updating your iptables rules. Apparently I’m not alone as DO already had an article about installing/configuring this cool tool while saving me some typing. You can see how fail2ban has added itself to the firewall via iptables -L.
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
As I’ve been writing this more bastards have been trying.
Apr 16 19:56:25 digital sshd[21929]: Failed password for root from 222.186.21.198 port 56975 ssh2
Apr 16 19:56:25 digital sshd[21927]: Failed password for root from 58.218.204.248 port 41954 ssh2
Apr 16 19:56:27 digital sshd[21929]: Failed password for root from 222.186.21.198 port 56975 ssh2
Apr 16 19:56:27 digital sshd[21927]: Failed password for root from 58.218.204.248 port 41954 ssh2
Lucky for me, though, fail2ban is doing it’s job and updating the firewall.
REJECT all -- 58.218.204.248 anywhere reject-with icmp-port-unreachable
REJECT all -- 222.186.21.198 anywhere reject-with icmp-port-unreachable
REJECT all -- 43.255.190.115 anywhere reject-with icmp-port-unreachable
Unfortunately, a quick review of /var/log/messages shows me that things aren’t working 100%.
Apr 16 19:27:50 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Unban 117.21.191.196
Apr 16 19:27:52 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Unban 58.218.213.254
Apr 16 19:28:44 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Ban 43.255.190.168
Apr 16 19:38:45 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Unban 43.255.190.168
Apr 16 19:38:59 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Ban 222.161.4.148
Apr 16 19:49:00 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Unban 222.161.4.148
Apr 16 19:55:12 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Ban 43.255.190.115
Apr 16 19:56:28 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Ban 222.186.21.198
Apr 16 19:56:36 digital fail2ban.actions[21411]: WARNING [ssh-iptables] Ban 58.218.204.248
I want to permaban these jerks. I edited /etc/fail2ban/jail.local and changed the bantime to -1 so it’s permanent. Unfortunately the blocked IPs will be wiped out if I restart the service so I’ll have to do some additional configuration steps. This will do for now, though.
bantime = -1
If you’re seeing this same sort of activity on your server hopefully this will set you down the path of clearing it up.
Ok, I decided to make this short video showing how frequently the hits were coming.
httpv://youtu.be/8uosXN8wH8o