Seeing concerted spike of root attempts
Wiped out my instance to redeploy a wp-instance and was having trouble getting my new sudo user to, well, sudo. When I checked auth.log to see if something was up with PAM, I noticed I had a slew of root attempts from IPs which whois says are in China.
I set UFW to deny all incoming that is not my home IP for the moment and that has stopped entries in auth.log, however, I wanted to make sure I have not also blocked out crucial Linode communication. Are any of these you all? Syslog dump for reference
Apr 26 02:06:51 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=5.188.11.91
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=48961 PROTO=TCP SPT=51806 DPT=44110 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:07:03 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=104.236.191.42
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=54321 PROTO=TCP SPT=38046 DPT=53 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 26 02:07:45 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=71.6.135.131
DST=45.79.72.112 LEN=44 TOS=0x08 PREC=0x20 TTL=117 ID=65023 PROTO=TCP SPT=29011 DPT=8800 WINDOW=63396 RES=0x00 SYN URGP=0
Apr 26 02:08:57 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=5.188.11.79
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=26768 PROTO=TCP SPT=51746 DPT=20815 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:09:15 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=5.188.11.17
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=63996 PROTO=TCP SPT=55137 DPT=5002 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:09:44 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=122.193.9.85
DST=45.79.72.112 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=62694 DF PROTO=TCP SPT=48918 DPT=6379 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 26 02:09:54 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=183.249.241.190
DST=45.79.72.112 LEN=40 TOS=0x08 PREC=0x20 TTL=101 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 26 02:10:11 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=201.13.203.64
DST=45.79.72.112 LEN=40 TOS=0x08 PREC=0x40 TTL=238 ID=13754 DF PROTO=TCP SPT=23444 DPT=2000 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 26 02:10:18 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=5.188.11.17
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=2353 PROTO=TCP SPT=55137 DPT=5100 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:10:45 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=5.188.11.79
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=32901 PROTO=TCP SPT=51686 DPT=21285 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:10:53 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=5.188.11.17
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=46250 PROTO=TCP SPT=55137 DPT=5516 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:13:00 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=185.56.81.55
DST=45.79.72.112 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=37093 PROTO=TCP SPT=34084 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 26 02:13:02 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=187.188.161.201
DST=45.79.72.112 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=18197 DF PROTO=TCP SPT=35336 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 26 02:13:03 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=187.188.161.201
DST=45.79.72.112 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=18198 DF PROTO=TCP SPT=35336 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 26 02:13:05 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=187.188.161.201
DST=45.79.72.112 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=18199 DF PROTO=TCP SPT=35336 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 26 02:13:09 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=187.188.161.201
DST=45.79.72.112 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=18200 DF PROTO=TCP SPT=35336 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 26 02:13:26 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=173.249.34.53
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=7683 PROTO=TCP SPT=52512 DPT=50802 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:13:37 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=77.72.82.103
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=40785 PROTO=TCP SPT=41758 DPT=4189 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:13:59 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=5.188.11.17
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=35582 PROTO=TCP SPT=55137 DPT=3462 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:14:02 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=77.72.85.25
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=18611 PROTO=TCP SPT=49520 DPT=11468 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:17:18 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=80.82.77.33
DST=45.79.72.112 LEN=44 TOS=0x00 PREC=0x00 TTL=118 ID=29425 PROTO=TCP SPT=10163 DPT=515 WINDOW=62682 RES=0x00 SYN URGP=0
Apr 26 02:17:34 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=5.188.11.17
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=23752 PROTO=TCP SPT=55137 DPT=4043 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:17:38 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=**77.72.85.8 **
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=46133 PROTO=TCP SPT=52029 DPT=3311 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 02:18:44 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:79:c1:08:00 SRC=185.10.68.228
DST=45.79.72.112 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=37305 DPT=5632 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 26 02:18:50 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:a6:94:a4:84:78:ac:0d:a6:41:08:00 SRC=184.105.139.85
DST=45.79.72.112 LEN=35 TOS=0x00 PREC=0x00 TTL=59 ID=6544 DF PROTO=UDP SPT=55491 DPT=177 LEN=15
3 Replies
Linode doesn't use the network to connect to your machine, ever. Indeed they really don't have much interaction with the userland or the deployed image at all, aside from during boot time for stuff like network helper, etc.
Blocking all incoming traffic could present other problems for you depending on what you're doing - and in the end you might be better off just limiting incoming traffic to your SSH port specifically - but you're not going to trip up Linode by blocking incoming traffic. The exception to this is if you're running Longview, in which case you'll need to make the firewall exceptions detailed in its guide.
Yeah, will have to adjust UFW to allow for http and such eventually. Bleh, this was not what I wanted to spend my evening worrying about :/
scrane
Linode Staff
Hey there, just to add on, I would recommend taking a look at the following guides to help secure your Linode a little better and help prevent future intrusions.
Securing Your Server
Linux Security Basics
Control Network Traffic With IPtables
Using Fail2Ban for Security