Wave of Server Breakin Attempts from Hong Kong

Posted Tuesday, Dec 9, 2014 by David Chapman

As part of my business, I manage server computers across the United States – source code repositories, file download hosts, and Web sites. That means I see the underside of the Internet, as unknown attackers try to break in through every channel imaginable.

Recently I have been seeing high-intensity ssh (secure shell) login attempts from a cluster of computers in Hong Kong or southern China, with IP addresses of the form 103.41.124.12, 103.41.124.59, etc. The IP addresses being attacked aren’t closely related in space or number, so the attackers are probing a large part of the Internet. This is not some bored teenager in a bedroom!

There are multiple simultaneous attacks on each computer, leading to 50,000+ password trials per computer per day. On some of my lightweight servers this is a noticeable burden, so I will be modifying my firewalls to limit login attempts. For years I’ve seen only a few hundred attempts per day from disparate IP addresses, so I haven’t bothered to lock down the firewall to that degree.

This particular wave of attacks is attempting to login only to the “root” account, so none of them can succeed on my machines – I always set “PermitRootLogin no” in the Secure Shell Daemon configuration file /etc/ssh/sshd_config, then create a second account for remote access. You have to know an extra user ID and two passwords to do any damage. No one has ever broken into any of my servers.

Security on the Internet is not “set it and forget it” – constant vigilance and adaptation is a must to protect your valuable data. I check my server log files nearly every day looking for trouble. This week I found it.


No Comments