Someone trying to get into my server?
This is commonplace when you are running a public server. Here is an excerpt of my home server's auth.log:
Mar 14 19:22:36 hotdog sshd[65937]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]Mar 14 19:22:37 hotdog sshd[65939]: Invalid user ubnt from 181.214.92.11Mar 14 19:22:37 hotdog sshd[65939]: input_userauth_request: invalid user ubnt [preauth]Mar 14 19:22:37 hotdog sshd[65939]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]Mar 14 19:22:38 hotdog sshd[65941]: Invalid user support from 181.214.92.11Mar 14 19:22:38 hotdog sshd[65941]: input_userauth_request: invalid user support [preauth]Mar 14 19:22:38 hotdog sshd[65941]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]Mar 14 19:22:39 hotdog sshd[65943]: Invalid user oracle from 181.214.92.11Mar 14 19:22:39 hotdog sshd[65943]: input_userauth_request: invalid user oracle [preauth]Mar 14 19:22:39 hotdog sshd[65943]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]Mar 14 19:22:40 hotdog sshd[65945]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]Mar 14 19:24:04 hotdog sshd[65947]: fatal: Read from socket failed: Operation timed out [preauth]Mar 14 20:01:19 hotdog sshd[66032]: Received disconnect from 183.3.202.102: 11: [preauth]Mar 14 20:40:17 hotdog sshd[66092]: Invalid user cacti from 199.217.117.71Mar 14 20:40:17 hotdog sshd[66092]: input_userauth_request: invalid user cacti [preauth]Mar 14 20:40:17 hotdog sshd[66092]: Connection closed by 199.217.117.71 [preauth]Mar 14 21:32:09 hotdog sshd[66188]: Received disconnect from 183.3.202.102: 11: [preauth]Mar 14 22:01:59 hotdog sshd[66256]: Invalid user user1 from 199.217.117.71Mar 14 22:01:59 hotdog sshd[66256]: input_userauth_request: invalid user user1 [preauth]Mar 14 22:02:00 hotdog sshd[66256]: Connection closed by 199.217.117.71 [preauth]Mar 14 22:17:57 hotdog sshd[66280]: Did not receive identification string from 14.182.117.161As you can see people are constantly trying to break into my server, by guessing a username. Since the server only accepts publickey login, not password, I believe myself to be fairly secure from these particular attacks.
The same applies to your PHP files. They are trying to find a php endpoint which they can run some canned exploit on. You can use tools like fail2ban which help with rate-limiting. But really these attacks will always be present on a public server. The only way is to ensure your software can resist attacks.
Some general common-sense tips:
- Don't run more services than you need, as any one service could open your server to attack. Check which ports you have open with nmap.
- Check that your apache/nginx config doesn't allow execute of more (PHP) files than necessary.
- Update your software continuously. Most of these attacks are automated and thus rely on published exploits in common packages.
I have the IP address 183.3.202.102 and some others from the same subnet quite frequently appear in the log of one of my honeypots.
It suddenly stopped though. I guess someone finally submitted an abuse report and had them banned.