Repeated login attempts from china!

nextcloud 11 after upgrade
Https enabled
Strict Https enabled
ubuntu server 16.04
Ufw enabled with apache and ssh

so here is something I was not expecting. I checked the auth.log and I see login attempt after login attempt from several different IP addresses and they all come from China so far. There are MANY login attempts from each IP address.

This is what I get

I do not know what to do about this. I do not have failban installed and dont know how to set that up. I also have not messed with IPtables and also not familiar with that at all either.

I should probably update my ssh password or password for my root account and my user account.

What is the best thing to do in this situation?

Thanks.

They are usually trying the most used passwords. So with a very good password is already very good, however you can also use SSH-Keys to authenticate. Without this SSH-Key you can’t login, there is no chance to “guess” this key in a reasonable time.

How to setup up key-authentication with putty: https://system.cs.kuleuven.be/cs/system/security/ssh/setupkeys/putty-with-key.html
More info about the ssh keys: https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

You will still get this “noise” in your logfiles but you don’t have to care about it (unless someone really manages to login). Fail2ban or a different port just reduce the noise in the logfiles, it doesn’t really increase the security but it adds a potential problem for you that you might lock out yourself. If you are interested in more, read about security by obscurity. More important: run only services you need and that you have configured properly, make security updates.

Installing Fail2Ban is not so complicated, mostly with one or two jails… The default parameters are goods. But the most efficient is changing listening port of SSH, I’m never attacked since my SSH server listens to a random port > 1024.

EDIT : I have also allowed only my IP to connect to SSH, wich is more efficient

ufw allow proto tcp from 1.2.3.4 to any port 2243 (SSH port)

CAREFULL : This option needs a static and stable IP, if you don’t have one or if you plan to change ISP, don’t do this !

Thanks for the reply.

I was looking at the ssh key thing and looking at fail2ban

The thing with fail2ban is that it needs a timezone but I dont see what format that it wants. Does it want local time… central time … or something else?

also I do want it to jail site logins and SSH logins. So far the guides I am looking at are one or the other and not very descriptive.

also the ban time … is that in seconds, minutes, hours?

can it set to be permanent?

so many questions with fail2ban.

also with the SSH login with only one IP is that internal or external IP used in the tcp from IP to any port?

Come on. This is extremely dangerous, a lot of people here don’t have static IPs, if you only allow access from one IP and your IP changes you have a big problem (also if you have problems with your ISP). If you run Nextcloud at home, you could limit logins to your local network (should be possible within the SSH config).

Use SSH keys, this really improves the security. All this other stuff only increases the amount of code and applications running on your system which finally can backfire.

Sorry, you’re right about the static IP, here, in France, most of ISP give a static IP. I disagree about Fail2Ban, who is a must-have to protect proftpd, apache, SSH, and others on my dedicated, and who is extremely efficient to do this (waves of banning last week during a huge attack on my FTP who runs at standard port 21…). But you’re right to promote SSH Keys I have edited my topic to warn about what you said

Lol ya I kinda thigh about that whole change the IP and then screwed thing. I will look into the SSH keys.

A couple of questions I can think of right now.

Can the fork kitty be used for this? Since that is what I use.

Also how does this affect me logging into SSH with say my other computer or maybe a cell phone?

So how did you set up fail2ban to jail logins on site and SSH?

What time zone format is needed?

Did you have to change any log paths in the config.php file?

it needs a timezone but I dont see what format that it wants

Never had to configure that.

So far the guides I am looking at are one or the other and not very descriptive.

On Google, you have plenty of good tutos…

You will always get these things in your logs. Its so far i would say normal.

As mentioned by @tflidd use key based login.
I never allow logins with passwords to my servers. The 1st thing i do switch to key based logins with PEM key, which i can use from home and office if needed. Wrote a simple post on this for myself on my blog for future usage.

I agree that changing the ssh port was for me the most changing step. Since I use some random WXYZ Port I never (an I mean never!) had an attack since at least half an year.

• Just change the port forwarding in your router to forward from random outside port to 22 of your server. Then change the port in putty/kitty accordingly.
• Alternatively change the listening port in your sshd_config and accordingly in router an putty/kitty.

Both extremely easy and effektiv against random attacks, that of course go on random ports, because they are most promising in random case .

Here the steps I did and wrote down how I switched to to key authentication for ssh:

1. Download PuttyGen: https://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
2. Start puttygen.exe, choose 4096 bit key size (at least I would recommend that) and go Generate.
3. You can also choose some pass phrase here. Without you could login without any password but as someone could potentially get your private key, I would always recommend to secure it further with a pass phase.
4. After done Safe private key to some secure folder on your local (remote) system
5. On your server system do “mkdir ~/.ssh” to create “.ssh” folder in your users home directory
6. In this directory create file named authorized_keys (nano ~/.ssh/authorized_keys) and copy the shown public key from PuttyGen into this file.
7. In Putty/Kitty go to Connection>SSH>Auth and choose the private key from your local system there.
8. At last change on your server /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes

9. Relog into your server and see if login with your key pair works as expected.
10. If everything works fine, disable the possibility of user password login by choosing “PasswordAuthentication no” inside /etc/ssh/sshd_config.

Actually after that I would not see fail2ban as necessary one any more. But I also use it, why not… If the time zone is asked for, it only make sense that it needs the log-files time zone. fail2ban analyses the /var/log/auth.log for login failures to ban the related ip adress. So just see which time zone is used there by comparing your local time with the one used in the log for your last authentication. For ssh fail2ban then works out of the box.

• Nextcloud has already an integrated brute force protection, so fail2ban would just double that. Anyway before I knew that, I also enabled fail2ban to secure owncloud/nextcloud logins by doing these steps:

nano /etc/fail2ban/filter.d/nextcloud.conf

[Definition]
failregex={“reqId”:“.“,“remoteAddr”:”.”,“app”:“core”,“message”:“Login failed: '.’ (Remote IP: ‘’)“,“level”:2,“time”:”.”}
ignoreregex =

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

…add to the end of the file
[nextcloud]
enabled = true
port = http,https
filter = nextcloud
maxretry = 3
bantime = 600
logpath = <path to nextcloud data folder>/nextcloud.log

Of course adjust maxretry and bantime to your needs.

service fail2ban restart

@tflidd @MichaIng @mmarif

Hey Thank you all for the replies and the help!

I have changed the SSH port from the default.

made sure root login was disabled.

Tried fail2ban on a different test server … failed at setting that up … work in progress…

BUT…
I have created a public key paired with a private key in another test server and that works well. Set up with Pageant.

However I do have a question about this. I have read a few things, messed with this a bit, and I do not understand how this helps protect me.

in the other server I set up the private key on with passphrase. I used my phone and was able to login with the username and password.

if I can login on another device with username and password and just accept the key, then whats stopping someone from brute forcing my password still and logging in? I guess I dont or cant figure out how this helps … I know I might be a bit slowww here at this lol.

any thoughts or explanations would be great! Thanks again!

Hmm when switching “PasswordAuthentication” inside your /etc/ssh/sshd_config to “no” it should be not possible any more to login without the privat key on the local system.

Did you check 1st, that your login really worked as key login with private key pass phase and not as normal user/password login? You SSH client should say something like “Authenticating with public key "rsa-key-<creationDate>"”, maybe using Pageant this looks different, don’t know. Recheck PubkeyAuthentication is set to yes and not commented out anymore. RSAAuthentication is set to yes by default, if it is not set by the way.

If that is the case recheck also that “PasswordAuthentication no” is not commented out anymore.

For debugging you could check /var/log/auth.log. My log shows:
Accepted publickey for <user> from <ip> port <port> ssh2: RSA xx:yy:zz:...

Would be interesting what it shows for your login with phone, where private key should be not there.

Hello
I did set it up and it does verify with the private key and the passphrase fine. When I use Pageant it does the passphrase for me.

I was able to login through my phone with user name and PW.

and as I am typing this I do now see that the PasswordAuthentiction was set to yes.

Just tried it again and now I cant login with user name and password… just with the key and passphrase.

hmm this is interesting… so is this the only reason to set that up? like to disable the password login? or does it make it more secure somehow with the password enabled?

Thanks again!

Yes, it only makes the thing more secure, if you disable password authentication. Otherwise nothing changes, besides you could make your login one step faster, by also using no passphrase for the key.

As your setup is now: Instead of username and password you now need username and passphrase, so until here nothing changed. BUT you also need a private key file with random 2048 or 4096 bit length that definitely can’t be guessed in a reasonable time, as it is theoretically for passwords. At the end you added a way stronger second factor for accessing to your server.

Of course this is just the case, if nobody has your private key and therefore also nobody has access to your local system. Therefore the passphrase make sense, that even in this case you at least have still kind of user/password security.

ok that makes sense.

I dont think that I have seen that step in any of the guides. I appreciate the help

There is no reason why you want sshd “open” for the whole world, or HTTP(s) for that matter.
It’s a good thing to just block everything from China(and/or other countries you do not want or need any TCP connections with) in your firewall. There are simple solutions for that for most firewall’s.

And fail2ban as mentioned earlier.

SSH keys are protect from intruder access to server, not the NC login site.
NC should have a settings that allow admins to blacklist IP or number of failed attempts.