I found someone is trying to hack my linux server through ssh. What should I do?
Posted on 2005-04-16
I was looking through some logs and I found that there was thousands of entries shown with
Failed password for invalid user $user from ::ffff:$ip port $port ssh2
a) $user is a different user name each time
b) $port is a different port each time
c) $ip is the IP address the request came from.
I used some string manipulation commands and found there have been 57 different IP's with these failed password entries. Keep in mind that there is only 1 person other than me who knows the ssh password. With a few more commands I got the count for each IP. The highest one is 1071 and the second highest is 169. The user that tried 1071 times to hack my server must really want in. I have that user's IP. What should I do?
I used whois on the first hacker, who tried 1071 times, and found his ISP is based in Germany. The whois output lists the ISP's email address. Should I contact them? Do you think they would do anything? Is there anyway that this is not the real IP? I mean can the hacker make his IP address look like someone elses?
For the time being I have disabled the port redirect through the firewall. Now the server can only be accessed through ssh in the network.
Any ideas how to handle a situation like this?