Found a lot of SSH login attempts in auth.log

Question

I'm running my own DigitalOcean Droplet on Ubuntu. Today, I found that my SFTP connection to said Droplet was a little laggy when doing work on it, so I checked /var/log/auth.log files to see what was happening.

I saw that for the past 7 days or so, I've had a huge number failed SSH logins from a variety of IP addresses (like once per minute). They look like dictionary attacks mostly, since there are a lot of random usernames used.

I had a basic IPTABLES configuration that blocks consecutive SSH connections beforehand, and I've augmented my security since by disallowing root logins and changing my SSH port from 22. I've also changed my login passwords to my privileged accounts.

I don't know how long I've been under this dictionary attack, and my logs don't show any suspicious successful logins. My question is, should I be concerned with potential successful login attempts by this dictionary attack? I'm worried these are bots who might've installed malware on a successful login attempt via root.

Answer 1

Although it's unlikely that it succeeded if you had a strong root password, you could check for malware by using tools like tcptrack to see if any suspicious looking connections are being made from the server.

Barring malware that communicate with the outside world, it would be very difficult to pinpoint where exactly a potential attacker would have put said malware in, since once you have root access, you are by all means compromised and the person has total control of everything on the system. If you feel with certanity that someone has gained root access, the best course of action would be to transfer out all the data you need from the droplet and just start over, making sure better security practices are followed so that such an attack is no longer possible

Another step you can ensure to improve security would be to deny any type of password authentication and limit it to only PublicKey authentication so that such dictionary attacks are ineffective

If for any reason you have to use passwords (which is not necessary in most cases and highly not recommended), you can setup knockd to use port knocking to make sure an attacker can't figure out which port ssh is on. Note that this is just security by obscurity and you still need strong passwords/passphrases.