Pete Biggs wrote:
On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
hi All,
I happened to login to one of my servers today and saw 96000 failed login attempts. shown below is the address its coming from. I added it
to my
firewall to drop.
Failed password for root from 123.183.209.135 port 14299 ssh2
FYI - others might be seeing it also.
As others have said, it's normal: dictionary based brute forcing of root; and no surprise that that IP is based in China. Welcome to the Internet.
As opposed to, say, Brazil (yes, for some reason, a lot hit us from there).
Primarily you need to make sure your root password is strong so it isn't vulnerable to this sort of attack. If it is, then the most nasty thing about this sort of thing is that your logs fill up.
For your sanity then you can do the following:
- disallow ssh root logins by password (login as an unprivileged user
or use keys)
If you're not doing the above, you should start doing that... about 10 years ago. Disallow root login except via keys this very minute, and do it everywhere.
- run something like fail2ban which will block a host for a
predetermined amount of time after a number of failures.
We've been running fail2ban at work for a good bunch of years, and I run it at home. It's good, and std. repo.
- don't run ssh on 22, use a different port. (Things get a lot
quieter when you do that, but it comes with it's own problems and don't get complacent because someone will find the port eventually.)
I consider that pointless security-through-obscurity.
- if you only have a limited number of hosts or subnets logging in to
your machine, adjust the firewall so that only they are allowed through.
Yep. And iptables rules are not that big a deal to write.
mark