[CentOS] Failed attempts

Mon Nov 27 18:13:22 UTC 2017
Leroy Tennison <leroy at datavoiceint.com>

And if you're really security conscious consider using port knocking (knock server - amazingly easy to set up. Or use fwknop, a little more difficult to set up but not much.  Finally, for the hard core who really like pain - write the iptables rules yourself).

----- Original Message -----
From: "Pete Biggs" <pete at biggs.org.uk>
To: "centos" <centos at centos.org>
Sent: Monday, November 27, 2017 11:53:30 AM
Subject: Re: [CentOS] Failed attempts

On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
> hi All,
> I happened to login to one of my servers today and saw 96000 failed login
> attempts. shown below is the address its coming from. I added it to my
> firewall to drop.
> Failed password for root from port 14299 ssh2
> FYI - others might be seeing it also.

As others have said, it's normal: dictionary based brute forcing of
root; and no surprise that that IP is based in China. Welcome to the

Primarily you need to make sure your root password is strong so it
isn't vulnerable to this sort of attack. If it is, then the most nasty
thing about this sort of thing is that your logs fill up.

For your sanity then you can do the following:

  - disallow ssh root logins by password (login as an unprivileged user
 or use keys)

  - run something like fail2ban which will block a host for a
predetermined amount of time after a number of failures.  

  - don't run ssh on 22, use a different port.  (Things get a lot
quieter when you do that, but it comes with it's own problems and don't
get complacent because someone will find the port eventually.)

  - if you only have a limited number of hosts or subnets logging in to
your machine, adjust the firewall so that only they are allowed


CentOS mailing list
CentOS at centos.org