On 11/27/2017 12:10 PM, Jerry Geis wrote: > hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 123.183.209.135 port 14299 ssh2 > > FYI - others might be seeing it also. > You're going to see this probably quite a lot on a server that has port 22 open to the world. All the linux boxes I have internet accessible have a couple of things setup to prevent a lot of that: Lock down SSH to accept only login requests from one IP (or a range, but I prefer a single IP most of the time if I can manage it). Use a non-standard SSH port (and not a variation like 2222 or some such, just make sure you remember what it is). Fail2ban is your friend. Seriously though, Fail2Ban is simply amazing. It will block IPs using IPtables without needing to write your own rules. Will email you a log if you like. And will generally help you sleep better at night. I've got a couple of web servers that I have running Fail2Ban with a maximum of 3 failed logins and once that's reached, the IP is blocked for a week. An hour just won't cut it nowadays, IMHO. It's pretty trivial to setup and uses very little in resources. -- Mark Haney Network Engineer at NeoNova 919-460-3330 option 1 mark.haney at neonova.net www.neonova.net