ssh brute force attacks to random ports/users

i change my default server ssh port and i have one ssh user(root)

i see a lot of logs like i quote;

Mar 30 15:09:20 server2 sshd[30568]: Invalid user git from 134.209.212.125 port 37676
Mar 30 15:09:20 server2 sshd[30568]: input_userauth_request: invalid user git [preauth]
Mar 30 15:09:20 server2 sshd[30568]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 15:09:20 server2 sshd[30568]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=134.209.212.125
Mar 30 15:09:22 server2 sshd[30568]: Failed password for invalid user git from 134.209.212.125 port 37676 ssh2
Mar 30 15:09:22 server2 sshd[30568]: Received disconnect from 134.209.212.125 port 37676:11: Bye Bye [preauth]
Mar 30 15:09:22 server2 sshd[30568]: Disconnected from 134.209.212.125 port 37676 [preauth]
Mar 30 15:09:25 server2 sshd[30577]: Address 60.30.98.194 maps to no-data, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 30 15:09:25 server2 sshd[30577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.30.98.194 user=root
Mar 30 15:09:25 server2 sshd[30577]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 30 15:09:28 server2 sshd[30577]: Failed password for root from 60.30.98.194 port 6080 ssh2
Mar 30 15:09:28 server2 sshd[30577]: Received disconnect from 60.30.98.194 port 6080:11: Bye Bye [preauth]
Mar 30 15:09:28 server2 sshd[30577]: Disconnected from 60.30.98.194 port 6080 [preauth]

 Mar 30 15:16:52 server2 sshd[618]: Invalid user prueba from 106.13.209.109 port 43952
Mar 30 15:16:52 server2 sshd[618]: input_userauth_request: invalid user prueba [preauth]
Mar 30 15:16:52 server2 sshd[618]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 15:16:52 server2 sshd[618]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.13.209.109
Mar 30 15:16:54 server2 sshd[618]: Failed password for invalid user prueba from 106.13.209.109 port 43952 ssh2
Mar 30 15:16:55 server2 sshd[618]: Received disconnect from 106.13.209.109 port 43952:11: Bye Bye [preauth]
Mar 30 15:16:55 server2 sshd[618]: Disconnected from 106.13.209.109 port 43952 [preauth]

ssh brute force attacks from random ips(proxy worldwide) and random users every day(50.000lines+)

i am sure that attackers dont know my ssh port but they try random ports every time.

i think its autorobot but i want to stop and also i m not using this ports like 6080 37676 43952 ...

-- banning is not solution. can i block all ports but www mail ssl ssh (and other must remain open) ports from iptales ?

-- do you have any ideas to help for me with this?


Thank you

can i block all ports but www mail ssl ssh (and other must remain open) ports from iptales ?

Thank you

I was about to ask if you had a firewall and then I read this part. Why have you not done this already? The standard practice for server protection is to block all ports except those you want to be open.
What OS is this?

fail2ban is your answer

can i block all ports but www mail ssl ssh (and other must remain open) ports from iptales ?

Thank you

I was about to ask if you had a firewall and then I read this part. Why have you not done this already? The standard practice for server protection is to block all ports except those you want to be open.
What OS is this?

Distro Name: CentOS Linux release 7.9.2009 (Core)
Kernel Version: 5.16.13-x86_64-linode153
Platform: x86_64 kvm

I dont change anything i dont open all ports (am i?)

# Generated by iptables-save v1.4.21 on Thu Mar 31 01:33:43 2022
*security
:INPUT ACCEPT [288520253:87180682456]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [288399815:96551497619]
COMMIT
# Completed on Thu Mar 31 01:33:43 2022
# Generated by iptables-save v1.4.21 on Thu Mar 31 01:33:43 2022
*raw
:PREROUTING ACCEPT [288533873:87181450964]
:OUTPUT ACCEPT [288399815:96551497619]
COMMIT
# Completed on Thu Mar 31 01:33:43 2022
# Generated by iptables-save v1.4.21 on Thu Mar 31 01:33:43 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 31 01:33:43 2022
# Generated by iptables-save v1.4.21 on Thu Mar 31 01:33:43 2022
*mangle
:PREROUTING ACCEPT [288533873:87181450964]
:INPUT ACCEPT [288533873:87181450964]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [288399815:96551497619]
:POSTROUTING ACCEPT [288399815:96551497619]
COMMIT
# Completed on Thu Mar 31 01:33:43 2022
# Generated by iptables-save v1.4.21 on Thu Mar 31 01:33:43 2022
*filter
:INPUT ACCEPT [69639:22040157]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70263:27924581]
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 25 -j DROP
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 587 -j DROP
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 465 -j DROP
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 110 -j DROP
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 995 -j DROP
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 143 -j DROP
-A INPUT ! -s 127.0.0.0/24 -p tcp -m tcp --dport 993 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 23 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 3307 -j DROP
-A INPUT -p tcp -m tcp --dport 2030 -j DROP
-A INPUT -p tcp -m tcp --dport 2031 -j DROP
-A INPUT -p tcp -m tcp --dport 2082 -j DROP
-A INPUT -p tcp -m tcp --dport 2083 -j DROP
-A INPUT -p tcp -m tcp --dport 2086 -j DROP
-A INPUT -p tcp -m tcp --dport 2087 -j DROP
-A INPUT -p tcp -m tcp --dport 2095 -j DROP
-A INPUT -p tcp -m tcp --dport 2096 -j DROP
-A INPUT -p tcp -m tcp --dport 19999 -j DROP
-A INPUT -s 143.244.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 202.88.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 45.232.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 223.177.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 194.67.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 49.234.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 222.185.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 157.245.0.0/16 -m comment --comment bruteforce -j DROP
-A INPUT -s 133.167.0.0/16 -m comment --comment bruteforce -j DROP
COMMIT
# Completed on Thu Mar 31 01:33:43 2022

can you see any problem?

You should be using csf firewall /etc/csf/csf.conf
Using iptables directly can cause you serious issues if you do something wrong.  Plus using CSF, you have LFD:  Look for the below options in csf.conf

RESTRICT_SYSLOG = "3"
LF_SSHD = "5"
LF_SSHD_PERM = "1"

You should be using csf firewall /etc/csf/csf.conf
Using iptables directly can cause you serious issues if you do something wrong.  Plus using CSF, you have LFD:  Look for the below options in csf.conf

RESTRICT_SYSLOG = "3"
LF_SSHD = "5"
LF_SSHD_PERM = "1"

i dont want to use csf or other firewall. this is not main problem. in www i am using cloudflare already but this bot attacks directly to server ip from tcp/ssh. i think its automated brute force attack bot and probably not only targeting my server. scans all the internet.
Thank you.

- As i say they have unlimited proxy, banning is not solution! web users comes from behind cloudflare. i can ban all the world ips but cloudflare but it doesnt make sense.

"i need to close all ports but necessary ones like http ssh mail/pop etc."

Thank you for helping.

update.


sol1

############310322--closing all ports but these
# Set the default policy of the INPUT chain to DROP
# Accept incomming TCP connections from eth0 on port 80 and 443
#www
#-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 8181 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 8443 -j ACCEPT
#ssh
#-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#mail
#-A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
#-A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
############310322--closing all ports but these

sol2

iptables -A INPUT -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED
iptables -A INPUT -p tcp -m tcp -m multiport -m state --state NEW -j DROP ! --dports 22,80,443,8181,8443,25,587,465,110,995,143,993,11211

tested but not fix...

i think i read my securelogs wrong and scanner/bot not requests to "random" ports...

(i will update topic again)

Using a firewall is required, but so long as the port is open, you are subject to brute force attacks.  Hence why I say using a iptables firewall manager such as CSF/LFD. 

The software does the same thing you are doing manually, except it can monitor the log files and set bans on IP's that are trying to brute force. 

IF you want to exclusively use cloudflare, you could open those ports to ONLY cloudflare's IP Range, and shut it off to everything else. 

CWP supports the software it bundles, not every underlying software that comes with it.  You can try the paid support, but I'm afraid you'll receive the same response.

I'm sorry, but the only two solutions I can give are either use CSF/LFD with automated banning, or close the firewall to everything but cloudflare and select IP's.  Any other solution is out of the scope of this forum.  Thank you for understanding.

Using a firewall is required, but so long as the port is open, you are subject to brute force attacks.  Hence why I say using a iptables firewall manager such as CSF/LFD. 

The software does the same thing you are doing manually, except it can monitor the log files and set bans on IP's that are trying to brute force. 

IF you want to exclusively use cloudflare, you could open those ports to ONLY cloudflare's IP Range, and shut it off to everything else. 

CWP supports the software it bundles, not every underlying software that comes with it.  You can try the paid support, but I'm afraid you'll receive the same response.

I'm sorry, but the only two solutions I can give are either use CSF/LFD with automated banning, or close the firewall to everything but cloudflare and select IP's.  Any other solution is out of the scope of this forum.  Thank you for understanding.

as i say. csf or lfd or ip ip/subnet banning is not solution.  thank you.


solution2:
i close all ports but necessary:
use this commands from ssh console.

iptables -A INPUT -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED
iptables -A INPUT -p tcp -m tcp -m multiport -m state --state NEW -j DROP ! --dports 22,80,443,8181,8443,25,587,465,110,995,143,993,11211

Your firewall is working as intended.  Bots/Hackers are going to attempt to access your server 24/7.  We all deal with it.  But if you don't throttle them by temp banning, you are giving them every opportunity to compromise your system with a dictionary attack.

Best option is to use certificate based access through SSH, shut off password access, and just ignore the log unless something happens.

Hi,

and what to do anyway, I have similar attacks too....
I've never had this problem before...


Thanks in advance!

BR
Venty

I HIGHLY recommend NOT running sshd on either ports 22 nor 2222 -- as FritzFrog and others scan those ports. Script kiddies will pound your server all day long on port 22, so in this case, you can have a measure of security by obscurity by running sshd on an alternate port.

Please What is the recommended port number to run the ssh

I fully agree with all the other advice given above.

i change my default server ssh port and i have one ssh user(root)

I would highly recommend NOT using root for SSH, unless you have a specific one-off case where you need it for a migration or rsync or the like. Once you leave a known user name provided for brute force attacks, that's 50% of the information needed for a successful hack. Consider creating a sudo user (with a strong passphrase) specifically for SSH duties and use that exclusively. So in /etc/ssh/sshd_config set:

Code: [Select]

PermitRootLogin noand

Code: [Select]

AllowUsers sudouseror create a group of allowed SSH users and set:

Code: [Select]

AllowGroups sshusersAnd of course, use keys instead of interactive passphrases...