[CentOS] Failed attempts

Mon Nov 27 21:25:52 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Mon, November 27, 2017 1:22 pm, Mark Haney wrote:
> On 11/27/2017 12:10 PM, Jerry Geis wrote:
>> hi All,
>> I happened to login to one of my servers today and saw 96000 failed
>> login
>> attempts. shown below is the address its coming from. I added it to my
>> firewall to drop.
>> Failed password for root from port 14299 ssh2
>> FYI - others might be seeing it also.
> You're going to see this probably quite a lot on a server that has port
> 22 open to the world.  All the linux boxes I have internet accessible
> have a couple of things setup to prevent a lot of that:
> Lock down SSH to accept only login requests from one IP (or a range, but
> I prefer a single IP most of the time if I can manage it).
> Use a non-standard SSH port (and not a variation like 2222

All ports above 1023 on UNIX and Linux systems can be opened by regular
user, without requiring root access to the machine. Therefore, this always
was considered potential security risk.

One more comment about obscuring ssh service by running it on non-standard
port (e.g. any port but 22). In my book this constitutes "security by
obscurity", which all my sysadmin colleagues were considering "windows -
like" way of dealing with problems. (Think about pushing the trash on the
floor under carpet).

> or some such,
> just make sure you remember what it is).
> Fail2ban is your friend.
> Seriously though, Fail2Ban is simply amazing.

Exactly. And some other measures already mentioned in this thread
(sshguard, iptables rulesets, ...)


>  It will block IPs using
> IPtables without needing to write your own rules.  Will email you a log
> if you like.  And will generally help you sleep better at night.  I've
> got a couple of web servers that I have running Fail2Ban with a maximum
> of 3 failed logins and once that's reached, the IP is blocked for a
> week.  An hour just won't cut it nowadays, IMHO.  It's pretty trivial to
> setup and uses very little in resources.
> --
> Mark Haney
> Network Engineer at NeoNova
> 919-460-3330 option 1
> mark.haney at neonova.net
> www.neonova.net
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247