I'm told there were 47183 failed login attempts since the last successful login.

February 6, 2015 32.8k views
macdonjo
By:
macdonjo

I logged in today and saw “There were 47183 failed login attempts since the last successful login.”

What precautions should I be taking?

1 comment
  • kryo2k December 9, 2015

    Bump this up. I also just saw a client’s vps has 116097 failed login attempts since the last successful login.

    This does appear like a hacker trying to break into D.O. boxes, as there appear to be several similar threads in this same forum.

    Edit: Seem to mostly be those with port 22 open. I would ensure you have the latest Open SSL packages, with remote password-login for root disabled (only use pubkey authentication, with a password). If possible, white-list 22 port to known IP addresses using your firewall.

Log In to Comment
4 Answers
gparent February 6, 2015

Make sure you are using a strong password on each of your accounts, and preferably use SSH key authentication (and force it to be used, by disabling password authentication) for communicating with your droplet.

Reply
  • macdonjo February 6, 2015

    Is this easy to setup? I have 2 others also working on the server, for a combined of at least 6 machines and changing internet connections.

  • gparent February 6, 2015
    How To Set Up SSH Keys
    by Etel Sverdlov
    SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
  • vps February 6, 2015

    You can install fail2ban. It will block the failed log on attempts via firewall rules.

    Best is to use SSH keys like mentioned above.

    Also if always connecting from same static ip addresses using firewall rules to limit ssh connections to those connections would do wonders.

    You can use dynamic ip addresses above if you ip doesn’t change often. I have a script that runs at boot and every 15 minutes to check my home ip address. If it changes from what it has it updates the firewall with new rules.

wuzamarine February 6, 2015

switch your ssh port to something non standard like 2222
problem gone.
It’s just robots.

Reply
  • gparent February 6, 2015

    Don’t do this, as it doesn’t increase your security in any way and just makes things more complicated for you.

    • warren July 25, 2016

      It may not “increase your security”, but it’s a common, simple first-order defense against automated attacks - if you’re not on a standard port, you eliminate a huge percentage of the problem ....

      Which does “increase your security”

      • gparent July 25, 2016

        While changing the port diminishes the risk of an attack occurring, it does not diminish the impact of any actual bug or insecure config that would be used out there to compromise servers. There are other parameters to check for that are actually meaningful to the security of the server like the usage of weak passwords or using AllowGroups to limit which users can log in remotely even if your password or key is compromised.

        Furthermore, port 2222 is a non-privileged port which means any user on the machine could host a listening service on that port if the right circumstances were to present themselves. This is not the case of port 22 which is a privileged port that essentially requires root to be listened on.

        So while the expression “increase your security” is not clearly defined, changing the port can hardly be considered a defense especially a first order one. One thing it does is reduce log clutter a little bit, but that’s not a problem if you’re already handling your logs and it’s not worth having to add additional flags to a bunch of ssh commands or setting up ~/.ssh/config files especially to a beginner.

        To protect access to the sshd service, I would suggest at the very least IP filtering but even better a VPN solution like IPsec or OpenVPN. Services like fail2ban provide little benefit and augment your surface of attack compared to rate limiting via netfilter/iptables.

  • jgillman February 19, 2015

    While it doesn’t increase your security, it does reduce the amount of noise from bots and script kiddies who are just looking for easy targets.

    That said, it can be a pain in the butt when you’re using a nonstandard port if anyone else needs access or if you forget.

    • warren July 25, 2016

      I use three ports for SSH - 22, 2222, and another.

      22 for things I either don’t care about, or that are internal-only

      2222 for things I care about that aren’t “mine”

      And the other port for all of “my” stuff

vps February 6, 2015
[deleted]
Reply
macdonjo February 7, 2015

I disabled my root account and made another account with root privileges, and the problem has been fixed.

Reply
Have another answer? Share your knowledge.