macdonjo
By:
macdonjo

I'm told there were 47183 failed login attempts since the last successful login.

February 6, 2015 17.1k views

I logged in today and saw "There were 47183 failed login attempts since the last successful login."

What precautions should I be taking?

1 comment
  • Bump this up. I also just saw a client's vps has 116097 failed login attempts since the last successful login.

    This does appear like a hacker trying to break into D.O. boxes, as there appear to be several similar threads in this same forum.

    Edit: Seem to mostly be those with port 22 open. I would ensure you have the latest Open SSL packages, with remote password-login for root disabled (only use pubkey authentication, with a password). If possible, white-list 22 port to known IP addresses using your firewall.

4 Answers

Make sure you are using a strong password on each of your accounts, and preferably use SSH key authentication (and force it to be used, by disabling password authentication) for communicating with your droplet.

  • Is this easy to setup? I have 2 others also working on the server, for a combined of at least 6 machines and changing internet connections.

  • by Etel Sverdlov
    SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
  • You can install fail2ban. It will block the failed log on attempts via firewall rules.

    Best is to use SSH keys like mentioned above.

    Also if always connecting from same static ip addresses using firewall rules to limit ssh connections to those connections would do wonders.

    You can use dynamic ip addresses above if you ip doesn't change often. I have a script that runs at boot and every 15 minutes to check my home ip address. If it changes from what it has it updates the firewall with new rules.

switch your ssh port to something non standard like 2222
problem gone.
It's just robots.

  • Don't do this, as it doesn't increase your security in any way and just makes things more complicated for you.

    • It may not "increase your security", but it's a common, simple first-order defense against automated attacks - if you're not on a standard port, you eliminate a huge percentage of the problem ....

      Which does "increase your security"

      • While changing the port diminishes the risk of an attack occurring, it does not diminish the impact of any actual bug or insecure config that would be used out there to compromise servers. There are other parameters to check for that are actually meaningful to the security of the server like the usage of weak passwords or using AllowGroups to limit which users can log in remotely even if your password or key is compromised.

        Furthermore, port 2222 is a non-privileged port which means any user on the machine could host a listening service on that port if the right circumstances were to present themselves. This is not the case of port 22 which is a privileged port that essentially requires root to be listened on.

        So while the expression "increase your security" is not clearly defined, changing the port can hardly be considered a defense especially a first order one. One thing it does is reduce log clutter a little bit, but that's not a problem if you're already handling your logs and it's not worth having to add additional flags to a bunch of ssh commands or setting up ~/.ssh/config files especially to a beginner.

        To protect access to the sshd service, I would suggest at the very least IP filtering but even better a VPN solution like IPsec or OpenVPN. Services like fail2ban provide little benefit and augment your surface of attack compared to rate limiting via netfilter/iptables.

  • While it doesn't increase your security, it does reduce the amount of noise from bots and script kiddies who are just looking for easy targets.

    That said, it can be a pain in the butt when you're using a nonstandard port if anyone else needs access or if you forget.

    • I use three ports for SSH - 22, 2222, and another.

      22 for things I either don't care about, or that are internal-only

      2222 for things I care about that aren't "mine"

      And the other port for all of "my" stuff

I disabled my root account and made another account with root privileges, and the problem has been fixed.

Have another answer? Share your knowledge.