The internet is full of bots that scan and poke IP addresses on port 22 (ssh). You can install something like fail2ban, or something similar like csf or denyhosts which will block IP’s from constantly failing to log in via SSH.
The downside to those adaptive firewalls is that you may also block yourself. So remember to try to log into the web console, or from another IP, if you are having difficulties logging in.
While it’s not more secure, changing the SSH port to an alternate port that you can easily remember will cut those log in attempts down nearly by 100%. You’d want to change the Port line in the
/etc/ssh/sshd_config as follows:
Alternate Port Setting (choose your own port number and remove the # from the beginning):
You will need to restart SSH for this to take effect:
systemctl restart sshd.service
Important: be sure to open your new SSH port if you are running a software firewall. Also be sure to leave your SSH session open after restarting the SSH service and open a NEW SSH session to test the new port. If you are unable to connect, you can debug your settings from the first SSH session.
Platform Support Specialist
While connecting to your server through SSH can be very secure, the SSH daemon itself is a service that must be exposed to the internet to function properly. This comes with some inherent risk and offers a vector of attack for would-be assailants.
A service called fail2ban can mitigate this problem by creating rules that automatically alter your firewall configuration based on a predefined number of unsuccessful login attempts.