I'm a novice dedicated server owner....

Today, I find this waiting for me:

-----------------------------------------------------------------------------------

The following are event logs for exceeded login failures from 146.141.27.43 (all time stamps are GMT -0500):
----
- Executed actions:
/etc/apf/apf -d 146.141.27.43

- Log events from /var/log/secure:
Sep 2 10:52:22 rincewind sshd[16477]: Illegal user test from 146.141.27.43
Sep 2 10:52:23 rincewind sshd[16473]: Illegal user test from 146.141.27.43
Sep 2 10:52:25 rincewind sshd[16476]: Illegal user test from 146.141.27.43
Sep 2 10:52:26 rincewind sshd[16473]: Failed password for illegal user test from 146.141.27.43 port 38184 ssh2
Sep 2 10:52:26 rincewind sshd[16477]: Failed password for illegal user test from 146.141.27.43 port 38202 ssh2
Sep 2 10:52:27 rincewind sshd[16475]: Illegal user test from 146.141.27.43
Sep 2 10:52:28 rincewind sshd[16476]: Failed password for illegal user test from 146.141.27.43 port 38199 ssh2
Sep 2 10:52:29 rincewind sshd[16475]: Failed password for illegal user test from 146.141.27.43 port 38198 ssh2
Sep 2 10:52:30 rincewind sshd[16483]: Illegal user guest from 146.141.27.43
Sep 2 10:52:30 rincewind sshd[16482]: Illegal user guest from 146.141.27.43
Sep 2 10:52:32 rincewind sshd[16486]: Illegal user guest from 146.141.27.43
Sep 2 10:52:32 rincewind sshd[16483]: Failed password for illegal user guest from 146.141.27.43 port 38306 ssh2
Sep 2 10:52:32 rincewind sshd[16482]: Failed password for illegal user guest from 146.141.27.43 port 38305 ssh2
Sep 2 10:52:34 rincewind sshd[16486]: Failed password for illegal user guest from 146.141.27.43 port 38324 ssh2
Sep 2 10:52:36 rincewind sshd[16491]: Illegal user admin from 146.141.27.43
Sep 2 10:52:38 rincewind sshd[16490]: Illegal user admin from 146.141.27.43
Sep 2 10:52:39 rincewind sshd[16491]: Failed password for illegal user admin from 146.141.27.43 port 38408 ssh2
Sep 2 10:52:40 rincewind sshd[16490]: Failed password for illegal user admin from 146.141.27.43 port 38407 ssh2
Sep 2 10:52:41 rincewind sshd[16495]: Illegal user admin from 146.141.27.43
Sep 2 10:52:43 rincewind sshd[16495]: Failed password for illegal user admin from 146.141.27.43 port 38423 ssh2
Sep 2 10:52:45 rincewind sshd[16498]: Illegal user admin from 146.141.27.43
Sep 2 10:52:45 rincewind sshd[16499]: Illegal user admin from 146.141.27.43
Sep 2 10:52:47 rincewind sshd[16503]: Illegal user admin from 146.141.27.43
Sep 2 10:52:48 rincewind sshd[16498]: Failed password for illegal user admin from 146.141.27.43 port 38512 ssh2
Sep 2 10:52:48 rincewind sshd[16499]: Failed password for illegal user admin from 146.141.27.43 port 38515 ssh2
Sep 2 10:52:50 rincewind sshd[16503]: Failed password for illegal user admin from 146.141.27.43 port 38560 ssh2
Sep 2 10:52:52 rincewind sshd[16505]: Illegal user user from 146.141.27.43
Sep 2 10:52:52 rincewind sshd[16506]: Illegal user user from 146.141.27.43
Sep 2 10:52:54 rincewind sshd[16505]: Failed password for illegal user user from 146.141.27.43 port 38632 ssh2
Sep 2 10:52:54 rincewind sshd[16506]: Failed password for illegal user user from 146.141.27.43 port 38634 ssh2
Sep 2 10:52:55 rincewind sshd[16509]: Illegal user user from 146.141.27.43
Sep 2 10:52:57 rincewind sshd[16509]: Failed password for illegal user user from 146.141.27.43 port 38664 ssh2
Sep 2 10:53:00 rincewind sshd[16511]: Failed password for root from 146.141.27.43 port 38735 ssh2
Sep 2 10:53:03 rincewind sshd[16513]: Failed password for root from 146.141.27.43 port 38760 ssh2
Sep 2 10:53:03 rincewind sshd[16515]: Failed password for root from 146.141.27.43 port 38780 ssh2
Sep 2 10:53:10 rincewind sshd[16517]: Failed password for root from 146.141.27.43 port 38873 ssh2
Sep 2 10:53:11 rincewind sshd[16524]: Failed password for root from 146.141.27.43 port 38850 ssh2
Sep 2 10:53:12 rincewind sshd[16529]: Failed password for root from 146.141.27.43 port 38862 ssh2
Sep 2 10:53:16 rincewind sshd[16531]: Failed password for root from 146.141.27.43 port 38973 ssh2
Sep 2 10:53:18 rincewind sshd[16537]: Failed password for root from 146.141.27.43 port 39010 ssh2
Sep 2 10:53:19 rincewind sshd[16533]: Failed password for root from 146.141.27.43 port 38992 ssh2
Sep 2 10:53:20 rincewind sshd[16539]: Illegal user test from 146.141.27.43
Sep 2 10:53:22 rincewind sshd[16539]: Failed password for illegal user test from 146.141.27.43 port 39074 ssh2
Sep 2 10:53:24 rincewind sshd[16544]: Illegal user test from 146.141.27.43
Sep 2 10:53:25 rincewind sshd[16542]: Illegal user test from 146.141.27.43
Sep 2 10:53:26 rincewind sshd[16544]: Failed password for illegal user test from 146.141.27.43 port 39154 ssh2
Sep 2 10:53:26 rincewind sshd[16546]: Illegal user test from 146.141.27.43
Sep 2 10:53:28 rincewind sshd[16542]: Failed password for illegal user test from 146.141.27.43 port 39135 ssh2
Sep 2 10:53:29 rincewind sshd[16546]: Failed password for illegal user test from 146.141.27.43 port 39207 ssh2
Sep 2 10:53:31 rincewind sshd[16549]: Illegal user test from 146.141.27.43
Sep 2 10:53:33 rincewind sshd[16549]: Failed password for illegal user test from 146.141.27.43 port 39268 ssh2
Sep 2 10:53:36 rincewind sshd[16551]: Illegal user test from 146.141.27.43
Sep 2 10:53:37 rincewind sshd[16555]: Illegal user test from 146.141.27.43
Sep 2 10:53:38 rincewind sshd[16553]: Illegal user test from 146.141.27.43
Sep 2 10:53:38 rincewind sshd[16551]: Failed password for illegal user test from 146.141.27.43 port 39291 ssh2
Sep 2 10:53:40 rincewind sshd[16555]: Failed password for illegal user test from 146.141.27.43 port 39403 ssh2
Sep 2 10:53:41 rincewind sshd[16553]: Failed password for illegal user test from 146.141.27.43 port 39330 ssh2
Sep 2 10:53:45 rincewind sshd[16559]: Illegal user test from 146.141.27.43
Sep 2 10:53:47 rincewind sshd[16559]: Failed password for illegal user test from 146.141.27.43 port 39548 ssh2
Sep 2 10:53:54 rincewind sshd[16561]: Failed password for root from 146.141.27.43 port 39684 ssh2
Sep 2 10:54:00 rincewind sshd[16563]: Failed password for root from 146.141.27.43 port 39795 ssh2
Sep 2 10:54:06 rincewind sshd[16565]: Failed password for root from 146.141.27.43 port 39913 ssh2
Sep 2 10:54:12 rincewind sshd[16568]: Failed password for root from 146.141.27.43 port 40032 ssh2
Sep 2 10:54:19 rincewind sshd[16577]: Failed password for root from 146.141.27.43 port 40134 ssh2
Sep 2 10:54:29 rincewind sshd[16579]: Failed password for root from 146.141.27.43 port 40244 ssh2
----------------------------------------------------------------------------

1. Would you guys (and gals) be worried about something like this? Or is it like a novice computer user getting a "virus found! and cleaned" notice -- that is, the system worked, no worried, this happens?

2. If you'd worry, is there anything you'd recommend I do?

I'm definately open to advice -- I have followed several server-securing tips and tricks I've found here... But I don't knwo what's important yet... For instance, I do have APF running... Few other things... I installed Mailscanner (not exactly security related), found that I'd have to tweak Exim too much, and decided to uninstall at the moment...

I'm a novice, but I do want my server to be up as much as possible, as I'm hosting friends and a very few semi-pro websites (organizations, rather than businesses...)

Again, thank you in advance for any advice you may have!

-i

Those are standard attempts by script kiddies. They just use a premade script and try to hack every box on the internet. Nothing to really worry about..

In order to thwart those attempts, just keep a good solid password (mixture of upper and lowercase with numbers mixed in) and up to date on your security patches and you will be OK.

Coool...

I was thinking that it was probably as simple as that...

I notice they're attacking root... It occurs to me that even though I'm using what I know is a strong password (relatively long length, non-dictionary, mixed alphanumeric), since I have another login with most relevant privs, probably a good idea to increase the robustness of that password beyond my normal level. :-)

Wish I could rename "root" to another username and have the entire change take place globally... I've always thought that, at least from a security standpoint, that would be one of the easiest ways to increase security many orders of magnitude...

user: root
pass: [robust]

Pretty secure, but better:

user: [robust]
pass: [robust]

heh.

By the way, I forgot to say the most important thing I started off intending to say: Thank you.

You know, when you're just starting out, if you realize what's out there, you're very paranoid. I'm worried I'll crash my box, which I really don't want to do... But worse, I'm worried I'll get rooted, or otherwise hacked. That's even *worse*...

So it's really nice to have this community here. Over time, I'll learn, and as I learn, I'll give back and help the newbies along, and maybe one day, do my own tutorials and whatnot. :-)

If you run APF you might also look at BFD to automatically block that attemps.

you should modify sshd to disallow root login's

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current

Look at the section about 'PermitRootLogin'

This has been going around, it started on my server about 2 weeks ago.

-c

Make sure to first add a user to the wheel so you can login after you disable root logins.

Originally posted by eth00
Make sure to first add a user to the wheel so you can login after you disable root logins.

yeah edit /etc/group and

wheel:*:0:root,yourusername

Originally posted by xcage
yeah edit /etc/group and

wheel:*:0:root,yourusername

Ahhh, and if I read correctly from other threads.... I remember the advice to add another user to the wheel just in case something wonky happened to your root login anyway...

It was mentioned that it was also mandatory to add the user to the wheel in WHM, so I'll post that here for others that read the thread. :-)

You can Blacklist those IP's, by setting up a lot of rules. You have to keep monitoring the logs frequently to checkout the server is up and healthy.

If you're concerned about the attacks (even though patching and strong passwords should be enough), is there a small number of hosts/IPs that you need SSH access from? You could simply block access on SSH to all but those IPs and get some peace of mind that way...

Greetings:

I second / third the block SSH by IP or IP range.

You should also employ as many security layers as you can manage throughout the day; and, never rely on just one layer of protection.

Thank you.

Hmm....

Here's an odd question...

My dad runs a server on a Windows 2k Advanced Server box -- does anyone know an easy way to set something up over there on maybe a weird port, and telnet through him to my server?

Reason I ask is that he has a static IP, which means I could block everything off except for his IP...

Although whatever I ran, if it was common, it'd just shift the problem to him, but... <shrug>

---------------------

Putting dashes, because another idea occurs to me...

I've added another used to the wheel (which is a concept I don't yet totally comprehend yet, but I've still got a bit fo reading to do...). Does that allow me "root access" to the server?

What I'm thinkin', if it does, would be to give root the longest password I can... or maybe disable SSH access for root or something...

Any pitfalls to avoid on something like that, or is it the wrong direction entirely? :-)

Oh, re: patching a securing... Well, anything I find to help is cool -- I'm not sure what securing a newbie like me will miss :-)

Originally posted by Isaac.Eiland-Hall
Hmm....

Here's an odd question...

My dad runs a server on a Windows 2k Advanced Server box -- does anyone know an easy way to set something up over there on maybe a weird port, and telnet through him to my server?

Reason I ask is that he has a static IP, which means I could block everything off except for his IP...

Although whatever I ran, if it was common, it'd just shift the problem to him, but... <shrug>

---------------------

Putting dashes, because another idea occurs to me...

I've added another used to the wheel (which is a concept I don't yet totally comprehend yet, but I've still got a bit fo reading to do...). Does that allow me "root access" to the server?

What I'm thinkin', if it does, would be to give root the longest password I can... or maybe disable SSH access for root or something...

Any pitfalls to avoid on something like that, or is it the wrong direction entirely? :-)

when u add a user to the wheel, ie mine is:

wheel:*:0:root,rob

it means rob can su - to root.. if you have another username, like "rob2" and try to su - to root, it wont let you, you have to add it to the wheel

usually i do this (allow my user account to su) and edit /etc/ssh/sshd_config and disable root login

PermitRootLogin no

so the only way to get to root would be to log in to the server under the useraccount u put in the wheel, and su -

sorry if its confusing, im still new to fbsd, but thats how i do it :bawling:

Originally posted by Isaac.Eiland-Hall
[B]Hmm....

Here's an odd question...

My dad runs a server on a Windows 2k Advanced Server box -- does anyone know an easy way to set something up over there on maybe a weird port, and telnet through him to my server?

Reason I ask is that he has a static IP, which means I could block everything off except for his IP...

Although whatever I ran, if it was common, it'd just shift the problem to him, but... <shrug>

You could always use RDP to connect to a session on his server, then SSH over to your box. Is a VPN connection an option to either server's network?

re: RDP and VPN -- I'll have to check, but it gives me a great direction to start in. :-)

Thanks!