[CentOS] Failed attempts

Mon Nov 27 19:22:18 UTC 2017
Mark Haney <mark.haney at neonova.net>

On 11/27/2017 12:10 PM, Jerry Geis wrote:
> hi All,
>
> I happened to login to one of my servers today and saw 96000 failed login
> attempts. shown below is the address its coming from. I added it to my
> firewall to drop.
>
> Failed password for root from 123.183.209.135 port 14299 ssh2
>
> FYI - others might be seeing it also.
>
You're going to see this probably quite a lot on a server that has port 
22 open to the world.  All the linux boxes I have internet accessible 
have a couple of things setup to prevent a lot of that:

Lock down SSH to accept only login requests from one IP (or a range, but 
I prefer a single IP most of the time if I can manage it).
Use a non-standard SSH port (and not a variation like 2222 or some such, 
just make sure you remember what it is).
Fail2ban is your friend.

Seriously though, Fail2Ban is simply amazing.  It will block IPs using 
IPtables without needing to write your own rules.  Will email you a log 
if you like.  And will generally help you sleep better at night.  I've 
got a couple of web servers that I have running Fail2Ban with a maximum 
of 3 failed logins and once that's reached, the IP is blocked for a 
week.  An hour just won't cut it nowadays, IMHO.  It's pretty trivial to 
setup and uses very little in resources.

-- 
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney at neonova.net
www.neonova.net