[CentOS] Failed attempts

Mon Nov 27 19:02:50 UTC 2017
m.roth at 5-cent.us <m.roth at 5-cent.us>

Pete Biggs wrote:
> On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
>> hi All,
>>
>> I happened to login to one of my servers today and saw 96000 failed
>> login attempts. shown below is the address its coming from. I added it
to my
>> firewall to drop.
>>
>> Failed password for root from 123.183.209.135 port 14299 ssh2
>>
>> FYI - others might be seeing it also.
>>
> As others have said, it's normal: dictionary based brute forcing of
> root; and no surprise that that IP is based in China. Welcome to the
> Internet.

As opposed to, say, Brazil (yes, for some reason, a lot hit us from there).
>
> Primarily you need to make sure your root password is strong so it
> isn't vulnerable to this sort of attack. If it is, then the most nasty
> thing about this sort of thing is that your logs fill up.
>
> For your sanity then you can do the following:
>
>   - disallow ssh root logins by password (login as an unprivileged user
>  or use keys)

If you're not doing the above, you should start doing that... about 10
years ago. Disallow root login except via keys this very minute, and do it
everywhere.
>
>   - run something like fail2ban which will block a host for a
> predetermined amount of time after a number of failures.

We've been running fail2ban at work for a good bunch of years, and I run
it at home. It's good, and std. repo.
>
>   - don't run ssh on 22, use a different port.  (Things get a lot
> quieter when you do that, but it comes with it's own problems and don't
> get complacent because someone will find the port eventually.)

I consider that pointless security-through-obscurity.
>
>   - if you only have a limited number of hosts or subnets logging in to
> your machine, adjust the firewall so that only they are allowed
> through.

Yep. And iptables rules are not that big a deal to write.

         mark