Share

Question

I logged in today and saw "There were 47183 failed login attempts since the last successful login."

What precautions should I be taking?

Answer 1

gparent February 6, 2015

Make sure you are using a strong password on each of your accounts, and preferably use SSH key authentication (and force it to be used, by disabling password authentication) for communicating with your droplet.

Reply

macdonjo February 6, 2015

Is this easy to setup? I have 2 others also working on the server, for a combined of at least 6 machines and changing internet connections.
gparent February 6, 2015

Should be. Try https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

How To Set Up SSH Keys
by Etel Sverdlov
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
vps February 6, 2015

You can install fail2ban. It will block the failed log on attempts via firewall rules.

Best is to use SSH keys like mentioned above.

Also if always connecting from same static ip addresses using firewall rules to limit ssh connections to those connections would do wonders.

You can use dynamic ip addresses above if you ip doesn't change often. I have a script that runs at boot and every 15 minutes to check my home ip address. If it changes from what it has it updates the firewall with new rules.

Answer 2

macdonjo February 6, 2015

Is this easy to setup? I have 2 others also working on the server, for a combined of at least 6 machines and changing internet connections.
gparent February 6, 2015

Should be. Try https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

How To Set Up SSH Keys
by Etel Sverdlov
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
vps February 6, 2015

You can install fail2ban. It will block the failed log on attempts via firewall rules.

Best is to use SSH keys like mentioned above.

Also if always connecting from same static ip addresses using firewall rules to limit ssh connections to those connections would do wonders.

You can use dynamic ip addresses above if you ip doesn't change often. I have a script that runs at boot and every 15 minutes to check my home ip address. If it changes from what it has it updates the firewall with new rules.

Answer 3

wuzamarine February 6, 2015

switch your ssh port to something non standard like 2222
problem gone.
It's just robots.

Reply

gparent February 6, 2015

Don't do this, as it doesn't increase your security in any way and just makes things more complicated for you.
- warren July 25, 2016
  
  It may not "increase your security", but it's a common, simple first-order defense against automated attacks - if you're not on a standard port, you eliminate a huge percentage of the problem ....
  
  Which does "increase your security"
  
  gparent July 25, 2016
  
  While changing the port diminishes the risk of an attack occurring, it does not diminish the impact of any actual bug or insecure config that would be used out there to compromise servers. There are other parameters to check for that are actually meaningful to the security of the server like the usage of weak passwords or using AllowGroups to limit which users can log in remotely even if your password or key is compromised.
  
  Furthermore, port 2222 is a non-privileged port which means any user on the machine could host a listening service on that port if the right circumstances were to present themselves. This is not the case of port 22 which is a privileged port that essentially requires root to be listened on.
  
  So while the expression "increase your security" is not clearly defined, changing the port can hardly be considered a defense especially a first order one. One thing it does is reduce log clutter a little bit, but that's not a problem if you're already handling your logs and it's not worth having to add additional flags to a bunch of ssh commands or setting up ~/.ssh/config files especially to a beginner.
  
  To protect access to the sshd service, I would suggest at the very least IP filtering but even better a VPN solution like IPsec or OpenVPN. Services like fail2ban provide little benefit and augment your surface of attack compared to rate limiting via netfilter/iptables.
jgillman February 19, 2015

While it doesn't increase your security, it does reduce the amount of noise from bots and script kiddies who are just looking for easy targets.

That said, it can be a pain in the butt when you're using a nonstandard port if anyone else needs access or if you forget.
- warren July 25, 2016
  
  I use three ports for SSH - 22, 2222, and another.
  
  22 for things I either don't care about, or that are internal-only
  
  2222 for things I care about that aren't "mine"
  
  And the other port for all of "my" stuff

Answer 4

gparent February 6, 2015

Don't do this, as it doesn't increase your security in any way and just makes things more complicated for you.
- warren July 25, 2016
  
  It may not "increase your security", but it's a common, simple first-order defense against automated attacks - if you're not on a standard port, you eliminate a huge percentage of the problem ....
  
  Which does "increase your security"
  
  gparent July 25, 2016
  
  While changing the port diminishes the risk of an attack occurring, it does not diminish the impact of any actual bug or insecure config that would be used out there to compromise servers. There are other parameters to check for that are actually meaningful to the security of the server like the usage of weak passwords or using AllowGroups to limit which users can log in remotely even if your password or key is compromised.
  
  Furthermore, port 2222 is a non-privileged port which means any user on the machine could host a listening service on that port if the right circumstances were to present themselves. This is not the case of port 22 which is a privileged port that essentially requires root to be listened on.
  
  So while the expression "increase your security" is not clearly defined, changing the port can hardly be considered a defense especially a first order one. One thing it does is reduce log clutter a little bit, but that's not a problem if you're already handling your logs and it's not worth having to add additional flags to a bunch of ssh commands or setting up ~/.ssh/config files especially to a beginner.
  
  To protect access to the sshd service, I would suggest at the very least IP filtering but even better a VPN solution like IPsec or OpenVPN. Services like fail2ban provide little benefit and augment your surface of attack compared to rate limiting via netfilter/iptables.
jgillman February 19, 2015

While it doesn't increase your security, it does reduce the amount of noise from bots and script kiddies who are just looking for easy targets.

That said, it can be a pain in the butt when you're using a nonstandard port if anyone else needs access or if you forget.
- warren July 25, 2016
  
  I use three ports for SSH - 22, 2222, and another.
  
  22 for things I either don't care about, or that are internal-only
  
  2222 for things I care about that aren't "mine"
  
  And the other port for all of "my" stuff

Answer 5

vps February 6, 2015

[deleted]

Reply

Answer 6

macdonjo February 7, 2015

I disabled my root account and made another account with root privileges, and the problem has been fixed.

Reply

I'm told there were 47183 failed login attempts since the last successful login.

Leave a Comment

Share

Share your Question

I'm told there were 47183 failed login attempts since the last successful login.

Leave a Comment

Almost there!

Report a Bug