Is someone trying to hack my VPS?

cactuscarl

Member
Aug 21, 2009
6
0
51
This comes from the /var/log/secure file and there's a LOT of it:

Feb 21 16:43:00 vps sshd[28022]: Did not receive identification string from 69.42.213.18
Feb 21 17:33:04 vps sshd[10065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:06 vps sshd[10065]: Failed password for root from 69.42.213.18 port 41824 ssh2
Feb 22 01:33:06 vps sshd[10066]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:07 vps sshd[10072]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:09 vps sshd[10072]: Failed password for root from 69.42.213.18 port 41937 ssh2
Feb 22 01:33:09 vps sshd[10073]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:09 vps sshd[10075]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:11 vps sshd[10075]: Failed password for root from 69.42.213.18 port 42034 ssh2
Feb 22 01:33:11 vps sshd[10076]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:11 vps sshd[10077]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:13 vps sshd[10077]: Failed password for root from 69.42.213.18 port 42122 ssh2
Feb 22 01:33:13 vps sshd[10078]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:14 vps sshd[10079]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:16 vps sshd[10079]: Failed password for root from 69.42.213.18 port 42230 ssh2
Feb 22 01:33:16 vps sshd[10080]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:17 vps sshd[10082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:19 vps sshd[10082]: Failed password for root from 69.42.213.18 port 42349 ssh2
Feb 22 01:33:19 vps sshd[10083]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:20 vps sshd[10088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:21 vps sshd[10088]: Failed password for root from 69.42.213.18 port 42471 ssh2
Feb 22 01:33:21 vps sshd[10089]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:22 vps sshd[10090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:24 vps sshd[10090]: Failed password for root from 69.42.213.18 port 42565 ssh2
Feb 22 01:33:24 vps sshd[10091]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:25 vps sshd[10092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:27 vps sshd[10092]: Failed password for root from 69.42.213.18 port 42679 ssh2
Feb 22 01:33:27 vps sshd[10093]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:27 vps sshd[10094]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:29 vps sshd[10094]: Failed password for root from 69.42.213.18 port 48248 ssh2
Feb 22 01:33:29 vps sshd[10095]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:30 vps sshd[10103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:32 vps sshd[10103]: Failed password for root from 69.42.213.18 port 48344 ssh2
Feb 22 01:33:32 vps sshd[10104]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:32 vps sshd[10105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:34 vps sshd[10105]: Failed password for root from 69.42.213.18 port 48439 ssh2
Feb 22 01:33:34 vps sshd[10106]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:34 vps sshd[10107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:36 vps sshd[10107]: Failed password for root from 69.42.213.18 port 48537 ssh2
Feb 22 01:33:36 vps sshd[10108]: Received disconnect from 69.42.213.18: 11: Bye Bye
Feb 21 17:33:36 vps sshd[10109]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
Feb 21 17:33:39 vps sshd[10109]: Failed password for root from 69.42.213.18 port 48638 ssh2
Feb 22 01:33:39 vps sshd[10110]: Received disconnect from 69.42.213.18: 11: Bye Bye


It looks as though someone or something is trying all kinds of ports to log into my server or something. I'm also getting all kinds of errors related to "cannot allocate memory" and now my Wordpress blogs are failing with similar errors and now just a simple "Internal Server Error"

Can anyone lend a brother a hand? :eek:
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
Yes, looks like someone is trying to brute force your SSH ...

This is very common and I would not be too alarmed by that alone but I would read through your logs just to make sure that none of those attempts were successful

If you don't already have a long random and sufficiently strong password or cert setup then I would certainly go ahead and do that.

Moving your SSH port (See /etc/ssh/sshd_config) to a new port can help curb such attacks but you will probably want to supplement that by disabling direct root logins as well.

I would also limit your SSH to "Protocol 2" only and fixed to a specific IP.

After you move SSH to another port, you can either block access to the original port in your firewall or do what I do sometimes and setup portsentry to operate as a "hacker trap" on the original port.

Hope that helps you out. If you don't understand any part of what I just said or need more help, feel free to hunt me down.