Question

I'm told there were 47183 failed login attempts since the last successful login.

Posted February 6, 2015 42.8k views

I logged in today and saw “There were 47183 failed login attempts since the last successful login.”

What precautions should I be taking?

1 comment
  • Bump this up. I also just saw a client’s vps has 116097 failed login attempts since the last successful login.

    This does appear like a hacker trying to break into D.O. boxes, as there appear to be several similar threads in this same forum.

    Edit: Seem to mostly be those with port 22 open. I would ensure you have the latest Open SSL packages, with remote password-login for root disabled (only use pubkey authentication, with a password). If possible, white-list 22 port to known IP addresses using your firewall.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers

Make sure you are using a strong password on each of your accounts, and preferably use SSH key authentication (and force it to be used, by disabling password authentication) for communicating with your droplet.

I disabled my root account and made another account with root privileges, and the problem has been fixed.

switch your ssh port to something non standard like 2222
problem gone.
It’s just robots.

  • Don’t do this, as it doesn’t increase your security in any way and just makes things more complicated for you.

    • It may not “increase your security”, but it’s a common, simple first-order defense against automated attacks - if you’re not on a standard port, you eliminate a huge percentage of the problem ....

      Which does “increase your security”

      • While changing the port diminishes the risk of an attack occurring, it does not diminish the impact of any actual bug or insecure config that would be used out there to compromise servers. There are other parameters to check for that are actually meaningful to the security of the server like the usage of weak passwords or using AllowGroups to limit which users can log in remotely even if your password or key is compromised.

        Furthermore, port 2222 is a non-privileged port which means any user on the machine could host a listening service on that port if the right circumstances were to present themselves. This is not the case of port 22 which is a privileged port that essentially requires root to be listened on.

        So while the expression “increase your security” is not clearly defined, changing the port can hardly be considered a defense especially a first order one. One thing it does is reduce log clutter a little bit, but that’s not a problem if you’re already handling your logs and it’s not worth having to add additional flags to a bunch of ssh commands or setting up ~/.ssh/config files especially to a beginner.

        To protect access to the sshd service, I would suggest at the very least IP filtering but even better a VPN solution like IPsec or OpenVPN. Services like fail2ban provide little benefit and augment your surface of attack compared to rate limiting via netfilter/iptables.

  • While it doesn’t increase your security, it does reduce the amount of noise from bots and script kiddies who are just looking for easy targets.

    That said, it can be a pain in the butt when you’re using a nonstandard port if anyone else needs access or if you forget.

    • I use three ports for SSH - 22, 2222, and another.

      22 for things I either don’t care about, or that are internal-only

      2222 for things I care about that aren’t “mine”

      And the other port for all of “my” stuff

Submit an Answer