https://blog.iankulin.com/tags/server/Recent content in Server on blog.iankulin.comHugoen-AUMon, 06 Feb 2023 00:00:00 +0000https://blog.iankulin.com/chinese-hackers-want-to-steal-my-hello-world-container/Mon, 06 Feb 2023 00:00:00 +0000https://blog.iankulin.com/chinese-hackers-want-to-steal-my-hello-world-container/<p>A smart thing to do after setting up a server on the internet, is to set up SSH keys and then turn passwords off for SSH. The reason for this is that scanning for open port 22 on IP addresses, then brute forcing password files on them is pretty much hacker 101. So if you have passwords turned on, and especially if you have a weak password you are really inviting someone to take over your server as root and add it to their botnet army for liking Putin&rsquo;s twitter posts or whatever.</p> <p>When I was writing <a href="https://blog.iankulin.com/sudo-incident-reports-where-do-they-go/">the post about looking for the sudo attempt</a> &lsquo;report&rsquo;, you might have noticed some sshd timeouts:</p> <p><img src="https://blog.iankulin.com/images/screen-shot-2023-01-28-at-12.08.21-pm.jpg" alt=""></p> <p>That&rsquo;s what&rsquo;s going on there. SSH has a timeout value of about a minute. I&rsquo;d also guess those kex_exchange_identification messages are suspicious as well. I thought I&rsquo;d google one of the IP addreses:</p> <p><a href="https://blog.iankulin.com/images/screen-shot-2023-01-28-at-12.18.14-pm.png"><img src="https://blog.iankulin.com/images/screen-shot-2023-01-28-at-12.18.14-pm.png" width="895" alt=""></a></p> <p>Oh, so it&rsquo;s China, and multiple people are reporting SSH brute force attacks:</p> <p><img src="https://blog.iankulin.com/images/screen-shot-2023-01-28-at-12.20.35-pm.jpg" alt=""></p>