

Chinese hacking attempt/Secure your Servers - shamsulbuddy

I just have reinstalled Debian 7 on my VPS. Logged in for the first time with &quot;root&quot; and on port 22..then I didn&#x27;t locked down anything and within an hour I can see the below root password breaking attempt in &#x2F;var&#x2F;log&#x2F;auth.log file .. WHOIS shows its an Chinese IP.
God knows when these people will get rid of Script kiddies.
Now I have locked down my VPS... does anybody else have similar story and what best steps you took to Secure your Servers .??<p>Jan 24 02:28:30 Sputnik sshd[1566]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.189.239.126  user=root
Jan 24 02:28:32 Sputnik sshd[1566]: Failed password for root from 222.189.239.126 port 1616 ssh2
Jan 24 02:28:35 Sputnik sshd[1566]: Failed password for root from 222.189.239.126 port 1616 ssh2
Jan 24 02:28:37 Sputnik sshd[1566]: Failed password for root from 222.189.239.126 port 1616 ssh2
Jan 24 02:28:39 Sputnik sshd[1566]: Failed password for root from 222.189.239.126 port 1616 ssh2
Jan 24 02:28:41 Sputnik sshd[1566]: Failed password for root from 222.189.239.126 port 1616 ssh2
Jan 24 02:28:43 Sputnik sshd[1566]: Failed password for root from 222.189.239.126 port 1616 ssh2
Jan 24 02:28:43 Sputnik sshd[1566]: Disconnecting: Too many authentication failures for root [preauth]
Jan 24 02:28:43 Sputnik sshd[1566]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.189.239.126  user=root
Jan 24 02:28:43 Sputnik sshd[1566]: PAM service(sshd) ignoring max retries; 6 &gt; 3
======
jlgaddis
Hackers will attempt brute force attacks on unprotected SSH servers. News at
11.

~~~
yaeger
What exactly does "unprotected" mean in this context? I mean ssh means secure
shell, so shouldn't the ssh be secure from the start? Or, a better question,
what would you need to do to secure your server and why aren't these steps
"on" by default?

I mean, even any new WiFi router you set up comes with WPA enabled by default.
Wasn't always this way. I still remember setting up routers where the password
protection was an afterthought.

But ssh isn't really _that_ new is it? Should these security measures be
default at least by now?

~~~
shamsulbuddy
Few basic things which can be done is like .. install Fail2ban , change the
default SSH port to something else, and use PermitRootlogin as No in
sshd_config file

