On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote: > hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 18.104.22.168 port 14299 ssh2 > > FYI - others might be seeing it also. > As others have said, it's normal: dictionary based brute forcing of root; and no surprise that that IP is based in China. Welcome to the Internet. Primarily you need to make sure your root password is strong so it isn't vulnerable to this sort of attack. If it is, then the most nasty thing about this sort of thing is that your logs fill up. For your sanity then you can do the following: - disallow ssh root logins by password (login as an unprivileged user or use keys) - run something like fail2ban which will block a host for a predetermined amount of time after a number of failures. - don't run ssh on 22, use a different port. (Things get a lot quieter when you do that, but it comes with it's own problems and don't get complacent because someone will find the port eventually.) - if you only have a limited number of hosts or subnets logging in to your machine, adjust the firewall so that only they are allowed through. P.