Debian frozen possible hacker attacK ?

[rcanna72]

It' s second time that my server debian it's frozen and require reboot.

After reboot i find this in auth.log
Nov 29 07:40:48 myserver sshd[24440]: Failed password for root from 49.88.112.60 port 38364 ssh2
Nov 29 07:40:51 myserver sshd[24440]: Failed password for root from 49.88.112.60 port 38364 ssh2
Nov 29 07:40:53 myserver sshd[24440]: Received disconnect from 49.88.112.60 port 38364:11: [preauth]
Nov 29 07:40:53 myserver sshd[24440]: Disconnected from authenticating user root 49.88.112.60 port 38364 [preauth]
Nov 29 07:40:53 myserver sshd[24440]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.60 user=root
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Nov 29 10:47:27 i-myserver systemd-logind[491]: New seat seat0.
Nov 29 10:47:27 i-voice-iredeos systemd-logind[491]: Watching system buttons on /dev/input/event4 (Power Button)
Nov 29 10:47:27 i-voice-iredeos systemd-logind[491]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Nov 29 10:47:28 i-voice-iredeos sshd[512]: Server listening on 0.0.0.0 port 22.

Now I have blocked ssh from external address

[Sante]

It's a chinese IP. A ssh server open to wan* is a security nightmare. Also disable ssh root access (let'em guess a valid UN) and password login - use a certificate with strong encryption and a tortuous passphrase. Make sure your ssh version isn't known for remote exploits. Do you really need ssh ? If not, consider uninstalling it altogether, but I guess if you have it you need it. Consider a VPN. About the crash thing, idk .


*not a chinese guy

[None1975]

Congratulations!! You have been hacked!

[trinidad]

Geez don't jump to conclusions.

Do you/ did you/ run any Dell OEM utilities like i/e backup, firmware updates, datasafe, Dell service connections, etc.? How did you forward your ports, and how is AllowUsers setup? Are you SSHing in from Windows?

TC

[Hallvor]

My sever gets hit like this all the time. I am guessing there are bots knocking on available servers with root as user name and common passwords. Consider it noise. Change ssh port and disable root logins, and these attacks should be very rare. You can also make your firewall ban IP addresses on failed password attempts.

[cuckooflew]

You can also make your firewall ban IP addresses on failed password attempts.

And that is one of many IPs that definitely should be blocked/banned :
https://www.abuseipdb.com/check/49.88.112.60
Yes , it is a hacker bot attack, but I don't see anything to indicate it successfully logged in as root, or any other user.
A properly setup firewall should prevent them from accessing, also this:ZBBLOCK is of additional help.

from: https://zb-block.net/zbf/showthread.php?p=1024The ZB-Block Website Protection Script (referred to as "the ZB-Block script" and "ZB-Block") is a computer program that allows a website administrator to filter unwanted and potentially malicious connections to their website. This helps to protect the website against unwanted activity, intrusion, and/or data theft.

The ZB-Block script runs directly on the protected website. ZB-Block is not a data collector or data processor as defined by GDPR. The ZB-Block script does not access, request, review, or retain any Personally Identifying Information as defined by GDPR.

If ZB-Block finds no reason to prevent (or "block") a connection to the protected website, ZB-Block will allow the connection to pass through to the protected website, and no record of the connection is retained by ZB-Block.

However, if ZB-Block finds sufficient reason to interrupt (or "block") a particular connection, ZB-Block will retain a record of that "block" for the website administrator to review. This allows the website administrator to adjust their installation of ZB-Block by removing incorrect restrictions or instituting additional restrictions.