[CentOS] Failed attempts

Mon Nov 27 17:53:30 UTC 2017
Pete Biggs <pete at biggs.org.uk>

On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
> hi All,
> I happened to login to one of my servers today and saw 96000 failed login
> attempts. shown below is the address its coming from. I added it to my
> firewall to drop.
> Failed password for root from port 14299 ssh2
> FYI - others might be seeing it also.

As others have said, it's normal: dictionary based brute forcing of
root; and no surprise that that IP is based in China. Welcome to the

Primarily you need to make sure your root password is strong so it
isn't vulnerable to this sort of attack. If it is, then the most nasty
thing about this sort of thing is that your logs fill up.

For your sanity then you can do the following:

  - disallow ssh root logins by password (login as an unprivileged user
 or use keys)

  - run something like fail2ban which will block a host for a
predetermined amount of time after a number of failures.  

  - don't run ssh on 22, use a different port.  (Things get a lot
quieter when you do that, but it comes with it's own problems and don't
get complacent because someone will find the port eventually.)

  - if you only have a limited number of hosts or subnets logging in to
your machine, adjust the firewall so that only they are allowed