Block CHINA!! Check yer auth.log

0E800

Mar 10 19:21:31 v22017014258144095 sshd[30173]: Failed password for root from 118.212.135.3 port 60201 ssh2
Mar 10 19:21:31 v22017014258144095 sshd[30175]: Failed password for root from 58.218.199.182 port 33242 ssh2
Mar 10 19:21:33 v22017014258144095 sshd[30175]: Failed password for root from 58.218.199.182 port 33242 ssh2
Mar 10 19:21:33 v22017014258144095 sshd[30173]: Failed password for root from 118.212.135.3 port 60201 ssh2
Mar 10 19:21:36 v22017014258144095 sshd[30175]: Failed password for root from 58.218.199.182 port 33242 ssh2

Above has been going on for days.

Reference:
http://anti-hacker-alliance.com/index.php?ip=58.218.199.182
http://bannedhackersips.blogspot.com/2017/01/fail2ban-ssh-banned-1182121353-from.html

Do something about it.

This nifty script by: Tim Kennell Jr. ~ tikenn Source

This file pulls from http://www.stopforumspam.com/downloads/bannedips.zip to
retrieve a list of IPs known to be associated with spam. The program
downloads, unzips, and formats the IP addresses into an NGINX config using
'deny'

The below code was slightly modified to be easier to copy - paste.

#!/bin/bash
DOWNLOAD=/opt/hulk
STORE=/etc/nginx/conf.d/
mkdir "$DOWNLOAD"
[[ -f "$DOWNLOAD/bannedips.zip" ]] && rm "$DOWNLOAD/bannedips.zip"
wget -O "$DOWNLOAD/bannedips.zip" http://www.stopforumspam.com/downloads/bannedips.zip
unzip -o "$DOWNLOAD/bannedips.zip" -d "$DOWNLOAD"
[[ -f "$STORE/bannedips.conf" ]] && rm "$STORE/bannedips.conf"
while read -r -d , ip ; do
echo "deny $ip;" >> "$STORE/bannedips.conf"
done < "$DOWNLOAD/bannedips.csv"
service nginx reload

To use it:
Create a file and paste above code into it and save it. Then give it permissions.

nano hulk.sh

Copy - Paste the script, CTRL-X, Y to save.

sudo chmod +x hulk.sh
./hulk.sh

Above script is great for blocking spammers but I noticed it did not include my attackers from China.
So I edited /etc/nginx/conf.d/bannedips.conf and added:

deny 118.212.135.3;
deny 58.218.199.182;

Nginx Bad Bot Blocker
https://github.com/mariusv/nginx-badbot-blocker/tree/master/VERSION_2

Fail2ban
A great resource for setting up Fail2ban.
https://www.linode.com/docs/security/using-fail2ban-for-security

Other helpful links:
http://www.parkansky.com/china.htm
http://www.wizcrafts.net/iptables-blocklists.html

clarkwinkelmann

0E800 wget -O "$DOWNLOAD/bannedips.zip" http://www.stopforumspam.com/downloads/bannedips.zip

Piping the content of an http-downloaded file in a terminal is a very good idea.

Seriously, only put HTTPS urls in commands like these ? The risk is too great.

I second Kulga, Public key login only is probably the most secure thing. It's even quicker to login because you don't even need to enter a password each time ! (If the key does not require password of course)

luceos

Just install fail2ban and configure it properly.. It will autoban any IP after N number attempts. You can even make it work with Flarum if you have it log failed login attempts (idea sparked) ?

0E800

luceos

Where does Flarum store tha failed login attempts? Is there a flarum log?
Or is there an API log?

luceos

0E800 it does not log it, but that might be worth adding to an upcoming extension idea (revival of guardian).

Kyrne

luceos what's broken with guardian? I'd love to take a look at fixing it up

Kulga

These are all on ssh? It's unfortunately common.

Do not allow root login
Permit public key encryption only.

If you really want to use passwords, only allow your ip address be permitted to use a clear-text password and require public-key otherwise.

# Only allow your ip to use passwords
PubkeyAuthentication yes
PasswordAuthentication no

Match Address YOUR_EXTERNAL_IP_ADDRESS
  PasswordAuthentication yes

A common approach is to allow root login.. but only with key-based authentication. You can do that like so..

PermitRootLogin without-password

0E800

@neoneosa

Yeah they were quick to ban-evade, so I had to change the default max login attempt of 5 to 4.
Then they adapted again. So I changed it to 3.
Now I am just appending the ips to my deny config.

clarkwinkelmann Good catch, thanks for pointing that out. I was kinda confused but then I added 'NOT' infront of 'good idea' and it made perfect sense :{P

neoneosa

Exactly the same bastards are attacking me for like 10 days. They dont notice passwords are disabled any only SSH keys work. Stupid @ssh0les

Kulga

neoneosa They dont notice passwords are disabled any only SSH keys work.

There is actually good reason to continue harassing you. SSH can be configured to allow passwords for specific users or groups. So while admin may not work, adm1n may have a exception allowing password authentication.

Once you have set public key auth and disabled clear text passwords, I would not stress about attempts.
In fact, the most common argument to continue caring is to minimize the number of entries into your log or "noise".

0E800 Yeah they were quick to ban-evade, so I had to change the default max login attempt of 5 to 4.
Then they adapted again. So I changed it to 3.

If you mean something like MaxAuthTries, this is by connection. So the same ip can simply disconnect and try again.

neoneosa

In my case they use different IPs all from china

neoneosa

I could remove log in on one account then they log in and i show them a nologin shell saying something like F... off.