On Mon, November 27, 2017 12:13 pm, Leroy Tennison wrote: > And if you're really security conscious consider using port knocking > (knock server - amazingly easy to set up. Or use fwknop, a little more > difficult to set up but not much. Finally, for the hard core who really > like pain - write the iptables rules yourself). Here is quite trivial (but effective!) one: :SSHSCAN - [0:0] .... -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN -A SSHSCAN -m recent --set --name SSH -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP -A INPUT -p tcp --dport 22 -j ACCEPT .... Valeri > > ----- Original Message ----- > From: "Pete Biggs" <pete at biggs.org.uk> > To: "centos" <centos at centos.org> > Sent: Monday, November 27, 2017 11:53:30 AM > Subject: Re: [CentOS] Failed attempts > > On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote: >> hi All, >> >> I happened to login to one of my servers today and saw 96000 failed >> login >> attempts. shown below is the address its coming from. I added it to my >> firewall to drop. >> >> Failed password for root from 123.183.209.135 port 14299 ssh2 >> >> FYI - others might be seeing it also. >> > > As others have said, it's normal: dictionary based brute forcing of > root; and no surprise that that IP is based in China. Welcome to the > Internet. > > Primarily you need to make sure your root password is strong so it > isn't vulnerable to this sort of attack. If it is, then the most nasty > thing about this sort of thing is that your logs fill up. > > For your sanity then you can do the following: > > - disallow ssh root logins by password (login as an unprivileged user > or use keys) > > - run something like fail2ban which will block a host for a > predetermined amount of time after a number of failures. > > - don't run ssh on 22, use a different port. (Things get a lot > quieter when you do that, but it comes with it's own problems and don't > get complacent because someone will find the port eventually.) > > - if you only have a limited number of hosts or subnets logging in to > your machine, adjust the firewall so that only they are allowed > through. > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++