0

I have an Ubuntu server; first I ran into this, as I couldn't log in via ssh at all:

ssh connection takes forever to initiate, stuck at "pledge: network"

After a hard reboot, I could log in - but everything executes extremely slow on the server - even if top said there is only about 1% CPU utilization.

When I tried to do update, it got to here:

$ sudo apt update

Hit:1 http://dk.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://dk.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://dk.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]

... and now it is stuck, still waiting for the command to complete.

I managed to run:

$ grep Failed /var/log/auth.log
...
Apr 23 10:54:14 myserv sshd[1994]: Failed password for root from ::1 port 50182 ssh2
Apr 23 10:54:14 myserv sshd[1992]: Failed password for invalid user pt from ::1 port 50180 ssh2

... so clearly something is trying to brute-force into ssh.

Basically, I would have tried to use fail2ban - however, the IP address reported is ::1, which as I can see, is usually whitelisted in fail2ban.

Is it possible to inspect where are these attempts coming from - and possibly mitigate them via fail2ban (or something similar)?

sdaau
  • 101

1 Answers1

0

::1 is the loopback address in IPv6. The equivalent of 127.0.0.1 for IPv4.

Your server cannot brute-fore itself. If your server has been compromised, you should completely reinstall it.

As a general recommendation, try to use a different than default SSH port.

Overmind
  • 3,221