- Fresh install of Fedora 25 Server
- Server behind a router with only a few NAT-rules
- Many SSH login attempts from hundreds of different IPs / ports (ever-changing)
- Recently attacks / exploits on nginx (running in a docker instance) shows up in the log, too.
A few examples from the log:
error: maximum authentication attempts exceeded for invalid user root from 88.14.203.97 port 56548 ssh2 [preauth]
error: Received disconnect from 52.221.236.126 port 62639:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
[error] 6#6: *138 open() "/usr/share/nginx/html/nice ports,/Trinity.txt.bak" failed (2: No such file or directory), client: 77.77.211.78, server: localhost, request: "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0"
I went through the basic hardening measures at install, including only allowing SSH login with a certificate (no passwords, no root).
Questions
- How can the attackers reach different ports on my LAN, not configured in NAT? UPnP…?
- Is it possible to block / stop these blind attacks?
Additional and possibly relevant information
I use the Dynamic DNS service freedns.afraid.org with a newly registered domain name.