Failed logins on CentOS 7

May 12, 2015 1.3k views

Hello community,

I have a droplet with centOS version 7. Yesterday i just logged in with SSH as root and saw that there was 6000 failed login attempt. Today i just created another droplet with centOS 7 and noticed that on the first login there was 43 failed login attempt, while that droplet was just created a few min earlier. What is this?

1 comment
  • I just opened a support ticket for DO on this subject. I have a VM running CentOS 7 as well and have had ~17.5k failed logins in under 12 hours. I'll post back if I hear anything from them.

1 Answer

Hey there,

The internet is full of bots that scan and poke IP addresses on port 22 (ssh). You can install something like fail2ban, or something similar like csf or denyhosts which will block IP's from constantly failing to log in via SSH.

The downside to those adaptive firewalls is that you may also block yourself. So remember to try to log into the web console, or from another IP, if you are having difficulties logging in.

While it's not more secure, changing the SSH port to an alternate port that you can easily remember will cut those log in attempts down nearly by 100%. You'd want to change the Port line in the/etc/ssh/sshd_config as follows:


#Port 22

Alternate Port Setting (choose your own port number and remove the # from the beginning):

Port 2022

You will need to restart SSH for this to take effect:

systemctl restart sshd.service

Important: be sure to open your new SSH port if you are running a software firewall. Also be sure to leave your SSH session open after restarting the SSH service and open a NEW SSH session to test the new port. If you are unable to connect, you can debug your settings from the first SSH session.

Happy coding,

Jon Schwenn
Platform Support Specialist

While connecting to your server through SSH can be very secure, the SSH daemon itself is a service that must be exposed to the internet to function properly. This comes with some inherent risk and offers a vector of attack for would-be assailants. A service called fail2ban can mitigate this problem by creating rules that automatically alter your firewall configuration based on a predefined number of unsuccessful login attempts.
Have another answer? Share your knowledge.