On Mon, November 27, 2017 12:13 pm, Leroy Tennison wrote:
And if you're really security conscious consider using port knocking (knock server - amazingly easy to set up. Or use fwknop, a little more difficult to set up but not much. Finally, for the hard core who really like pain - write the iptables rules yourself).
Here is quite trivial (but effective!) one:
:SSHSCAN - [0:0]
....
-A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN -A SSHSCAN -m recent --set --name SSH -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP -A INPUT -p tcp --dport 22 -j ACCEPT
....
Valeri
----- Original Message ----- From: "Pete Biggs" pete@biggs.org.uk To: "centos" centos@centos.org Sent: Monday, November 27, 2017 11:53:30 AM Subject: Re: [CentOS] Failed attempts
On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
hi All,
I happened to login to one of my servers today and saw 96000 failed login attempts. shown below is the address its coming from. I added it to my firewall to drop.
Failed password for root from 123.183.209.135 port 14299 ssh2
FYI - others might be seeing it also.
As others have said, it's normal: dictionary based brute forcing of root; and no surprise that that IP is based in China. Welcome to the Internet.
Primarily you need to make sure your root password is strong so it isn't vulnerable to this sort of attack. If it is, then the most nasty thing about this sort of thing is that your logs fill up.
For your sanity then you can do the following:
- disallow ssh root logins by password (login as an unprivileged user
or use keys)
- run something like fail2ban which will block a host for a
predetermined amount of time after a number of failures.
- don't run ssh on 22, use a different port. (Things get a lot
quieter when you do that, but it comes with it's own problems and don't get complacent because someone will find the port eventually.)
- if you only have a limited number of hosts or subnets logging in to
your machine, adjust the firewall so that only they are allowed through.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++