Recently, I started automating deployment process for one of my personal projects. Part of the workflow was allowing Github Actions to ssh into my Raspberry Pi machine to run some commands. To make it work, I opened port 22 and applied port forwarding. Everything seemed to work great until I found these suspicious logs:

Nov 28 10:12:11 raspberrypi sshd[93222]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.187  user=root
Nov 28 10:12:13 raspberrypi sshd[93222]: Failed password for root from 218.92.0.187 port 31026 ssh2
Nov 28 10:12:17 raspberrypi sshd[93222]: Failed password for root from 218.92.0.187 port 31026 ssh2
Nov 28 10:12:20 raspberrypi sshd[93222]: Failed password for root from 218.92.0.187 port 31026 ssh2
Nov 28 10:12:21 raspberrypi sshd[93222]: Received disconnect from 218.92.0.187 port 31026:11:  [preauth]
Nov 28 10:12:21 raspberrypi sshd[93222]: Disconnected from authenticating user root 218.92.0.187 port 31026 [preauth]
Nov 28 10:12:21 raspberrypi sshd[93222]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.187  user=root

Initially, I thought these logs must be related to Github Actions as they are the only source sshing externally. However, the use of the root user was red flags, and additionally the number of login attempts were made periodically. I immediately looked up the IP address here and confirmed it was flagged in malware incidents and spamming activities. Fortunately, the attack was not possible as I was using key-based authentication but it is a wake-up call reminding me the importance of security. I did some research about best practices and added additional security layers to make it even more difficult to hack. Here’s what I learned about securing ssh connection:

  • Use Key-based Authentication
  • Disable Root Login
  • Use Hard-to-Guess Port
  • IP Whitelisting

It really gave me a lesson that automation should never expose any security risks, and I’m so pumped to learn more about other best practices and monitoring tools when it comes to server security!