How do I troubleshoot internal(to external targets) brute force attack?
I'm getting a notification with these reports.
https://linode.abusehq.net/share/3ewRg23wrs33SWbkshrDrvRnPsW7FD3MKMenAweT3cv_Cl7lqXqXT2rSuCQGDvkHjsgVlwon3I1p0fEx-PocTQ
I've installed nginx, php{7.4,8.0}-fpm, mariadb, ufw, fail2ban softwares.
and only one project is running on the server. that's powered by Laravel.
2 Replies
✓ Best Answer
Something or someone is using your IP address to try to log in to the target of the abuse complaint using ssh.
What I would do is use your firewall to BLOCK all ssh traffic to/from your Linode and see if the reports continue. If they do, then someone is spoofing your IP address. There's not much you can do about this except report it to Linode and the blocklist operators.
In any case, I would use the firewall to block in-/outbound ssh traffic to all but a small set of addresses that you use every day. This is quite easy to do with iptables/ipset.
FWIW, fail2ban is only good on inbound traffic to your Linode…and only after the fact. None of this has anything to do with your web server (unless your app does ssh logins…in which case that would be a very poorly-designed app).
-- sw
@stevewi
Thanks a bunch!