My new VPS attacked.

[TheWaffle]

I rented a VPS from a company. I was attempting to setup a vanilla OpenVPN server. Last night I was almost succsessful, but I put a passcode on my DH params. (AFAICT this was a mistake.) This prevented the daemon from starting correctly. 

Anyways I was hit by what looks like a dictionary attack last night/a couple hours ago.  How do I know if the attacker was successful.  I attached the log/mail.

I do not recognize an ip address.  My OpenVPN network is 10.8.0.0/24, but it is not running.  I do not know where the ip address of 10.17.0.5 came from.  Any ideas?

I don't have anything sensitive or even personal on this server.  I figured it would be fun to poke around before I delete it and start over.

[TheWaffle]

The second ip address points to the hosting provider's internal network.

[myyskie]

That's normal most of that are BOT it happened to many sites I mean most of all sites are being attacked like that, it's like they are pinging and trying to do dictionary attack, you can install some software to ban those IP if they tries to logged-in for 2 consecutive tries, or do SSH Logged-in. To know if they are successful, you can check the logs and verify the last logged-in IP Address, if it's not your IP then 100% your server is compromised.

[niketathakare]

A DDoS-secured VPS gives the capacity to relieve these sorts of dangers to your site. We trust that you shouldn't need to buy extra security or invest weeks stressing over getting an assurance stage introduced on your server to ensure against DDoS assaults. That is the reason at InMotion Hosting we consider your server's security important and give DDoS assurance on your VPS at no extra expense.

In the event that your site or DDoS-Protected VPS server is focused in a DDoS assault, our particular server structure gives a boundary against the web trouble makers and our master group of framework heads work to guard your home on the web. Remember that these assaults can keep going for quite a while, however we work all day, every day to guarantee your site stays DDoS secured.

How would I know whether I am being assaulted? Do I have to contact InMotion Hosting? By and large on the off chance that you are being assaulted, you will see that your site might be inaccessible, and your email may not work appropriately. A DDoS assault can likewise influence your cPanel organization page. Our day in and day out US based help is remaining by to accept your call, talk or email, so don't dither to contact us.

[niketathakare]

Good passwords (or eliminate password based login entirely and use SSH keys exclusively to authenticate), oddball SSH ports, and stop caring about failed login attempts. You can't do anything about them, so don't bother.

OR, if you want to get really fancy, create a VPN endpoint for all the stuff that you have to connect to first. But that's overkill.

*censored*, a decade ago, we had enough SSH brute force password login attempts that the CPU use for it was affecting throughput on some of our routers (I worked at a small WISP). We moved stuff to an oddball port and the problem went away.

It's not you. It's not your server. It's just that you happen to have a "public IP address" and this is general background noise of the interwebs.

Here's a quick report from a log on a box of mine that has port 22 open to the intarwebs: