Re: Connection closed by [IP] port [port] [preauth]
On Mon, 2020-02-24 at 21:38 +0100, steve wrote:
> Hi there,
>
> Since February 11th at 00:25:09, I am getting the following every 12
> secondes:
>
> Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 port 54422 [preauth]
I'm getting that too.
> And when I say every 12 seconds, it is really every 12 seconds, and this
> is now going on for more than 13 days, without any interruption. At the
> beginning, I thought that this was just standards nmap scans or
> something similar and so didn't bother taking any action. But now I'm
> asking myself who (in China) would be so stupid to continue this
> scanning.
The bot is possibly try to trigger some vulnerability, which we can
expect is a known one and fixed in Debian.
> What should I do? Send an email to the abuse contact? Ignore it and wait
> that it's over? It doesn't seem naughty but it's getting irritating.
You've already had the same suggestions I'd give. I run fail2ban on all
internet facing systems, which will block IP addresses which are
repeatedly trying and failing things like password logins to sshd.
Unfortunately, simple connection drops like these aren't covered by the
built-in rules. There may be ways of adding custom rules, but I've just
taken to manually adding IP addresses to a blacklist with iptables. (To
avoid their irritation in the logs rather than fear that the bots will
be able to do anything nasty.)
--
Tixy
Reply to: