Script Kiddie Tries to Hack Me?


Have you recently acquired a hobby in maintaining a server? Chances are your machine is being poked and prodded by bot farms. I highly recommend reading this guide if you want top level security for your server.

But how can you see if someone (or some thing) is attempting to hack your machine? If you're on debian just type:

journalctl -xe

Below you can open a log of this command's output, showing some monkey business going on at my email and ssh ports.

log.txt I've redacted the guy's IP and other info with *'s

If you have a server connected to the internet, you have to deal with automated login attempts by botnets. In this case it seems like a real person.

So how can we deal with these menaces once and for all? First I'd consult the firewall guide here. Then use this additional firewall command:

ufw deny from ip-address-here to any

The way you find their IP is to look for from unknown[ip-address].

Reject vs Deny

If instead we want to tell the intruder the port they are attacking is unreachable, replace the word deny with reject in the above ufw command. We use deny for connections you don't want attackers to see. The reject sends a reject response to the attacker, while the deny target sends nothing at all.

To check your new rules have been added type:

ufw status

Would it be cumbersome to do this for each and every snooper you encounter? Yes. And against botnets it's futile. That's why I recommend fail2ban (checkout the first link) which will essentially do this for you on your ssh port. But chances are you have more than just one port open if you have a website or an email service running.

Having a server which serves traffic on default ports, expect to have a lot of login attempts by black hats. You could change these default ports to thin out your logs, but do not make this your only defense. Security through obscurity doesn't work because a botnet can scan all 65 thousand ports in a fraction of a second, although the main ones just ping the defaults. Use rsa key pairs to ssh in.

If someone (or a botnet) manages to log in to your system, which would likely be the case if you allow log-in via password, you are toast. A root kit will inject code into the kernel space leaving nefarious processes undetectable. If you were to somehow find the pid of this virus, any attempt in killing it would return process not found. There would be no way of ever knowing for sure your system isn't compromised even after cleaning up any visible evidence of intrusion.