mas.satriyo
Hosting Guru
beberapa hari yg lalu vps teman saya ketahuan kalo sudah dibobol, entah bagaimana caranya ada yg bisa masuk, yg jelas vps tersebut telah diacak2 dan baru ketahuan waktu dapat warn kalo bandwidthnya habis, padahal itu cuma vps untuk beberapa website statis
siang tadi saya iseng cek auth.log ( /var/log/auth.log)
ternyata ada banyak notice seperti ini :
dan masih banyak lagi, saya hitung setiap menit ada sekitar 5 - 30 notice
setelah saya telusuri di
ternyata kebanyakan berasal dari China dan Korea Selatan
selama ini untuk proteksi akses, saya mengandalkan fail2ban, ufw, dan iptables disamping men-disable login root dan mengganti port login via ssh
yg ingin saya tanyakan,
seberapa bahayakah serangan itu?
bagaimana antisipasinya?
vps saya ini cuma digunakan untuk web personal, hanya website berbasis wordpress dan ghost saja
untuk dns, saya terbiasa menggunakan cloudflare
trims atas jawabannya
siang tadi saya iseng cek auth.log ( /var/log/auth.log)
ternyata ada banyak notice seperti ini :
Code:
Jun 27 15:44:46 sg sshd[29119]: Failed password for root from 117.21.225.116 port 2003 ssh2
Jun 27 15:44:46 sg sshd[29117]: Failed password for root from 111.74.238.151 port 3032 ssh2
Jun 27 15:44:48 sg sshd[29119]: Failed password for root from 117.21.225.116 port 2003 ssh2
Jun 27 15:44:49 sg sshd[29117]: Failed password for root from 111.74.238.151 port 3032 ssh2
Jun 27 15:44:50 sg sshd[29119]: Failed password for root from 117.21.225.116 port 2003 ssh2
Jun 27 15:44:53 sg sshd[29119]: Failed password for root from 117.21.225.116 port 2003 ssh2
Code:
Jun 27 00:00:01 sg CRON[14936]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 27 00:00:02 sg sshd[14934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.20 user=root
Jun 27 00:00:03 sg CRON[14936]: pam_unix(cron:session): session closed for user root
Jun 27 00:00:04 sg sshd[14934]: Failed password for root from 202.109.143.20 port 1139 ssh2
Jun 27 00:00:16 sshd[14934]: last message repeated 5 times
Jun 27 00:00:16 sg sshd[14934]: Disconnecting: Too many authentication failures for root [preauth]
Jun 27 00:00:16 sg sshd[14934]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.20 user=root
Jun 27 00:00:16 sg sshd[14934]: PAM service(sshd) ignoring max retries; 6 > 3
Jun 27 00:00:24 sg sshd[14973]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.20 user=root
Jun 27 00:00:26 sg sshd[14973]: Failed password for root from 202.109.143.20 port 1688 ssh2
Jun 27 00:00:37 sshd[14973]: last message repeated 5 times
Jun 27 00:00:37 sg sshd[14973]: Disconnecting: Too many authentication failures for root [preauth]
Jun 27 00:00:37 sg sshd[14973]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.20 user=root
Jun 27 00:00:37 sg sshd[14973]: PAM service(sshd) ignoring max retries; 6 > 3
Jun 27 00:00:41 sg sshd[14975]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.20 user=root
Jun 27 00:00:43 sg sshd[14975]: Failed password for root from 202.109.143.20 port 3685 ssh2
Jun 27 00:00:49 sshd[14975]: last message repeated 2 times
Jun 27 00:00:49 sg sshd[14977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.21.224.211 user=root
Jun 27 00:00:49 sg sshd[14975]: Failed password for root from 202.109.143.20 port 3685 ssh2
Jun 27 00:00:50 sg sshd[14977]: Failed password for root from 117.21.224.211 port 1880 ssh2
Jun 27 00:00:51 sg sshd[14975]: Failed password for root from 202.109.143.20 port 3685 ssh2
Jun 27 00:00:52 sg sshd[14977]: Failed password for root from 117.21.224.211 port 1880 ssh2
Jun 27 00:00:53 sg sshd[14975]: Failed password for root from 202.109.143.20 port 3685 ssh2
Jun 27 00:00:53 sg sshd[14975]: Disconnecting: Too many authentication failures for root [preauth]
Jun 27 00:00:53 sg sshd[14975]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.20 user=root
Jun 27 00:00:53 sg sshd[14975]: PAM service(sshd) ignoring max retries; 6 > 3
Jun 27 00:00:54 sg sshd[14977]: Failed password for root from 117.21.224.211 port 1880 ssh2
Jun 27 00:00:59 sshd[14977]: last message repeated 2 times
Jun 27 00:00:59 sg sshd[14977]: Disconnecting: Too many authentication failures for root [preauth]
Jun 27 00:00:59 sg sshd[14977]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.21.224.211 user=root
Code:
tcpiputils.com
selama ini untuk proteksi akses, saya mengandalkan fail2ban, ufw, dan iptables disamping men-disable login root dan mengganti port login via ssh
yg ingin saya tanyakan,
seberapa bahayakah serangan itu?
bagaimana antisipasinya?
vps saya ini cuma digunakan untuk web personal, hanya website berbasis wordpress dan ghost saja
untuk dns, saya terbiasa menggunakan cloudflare
trims atas jawabannya