Question

Login Attempts: Is this usual?

Posted December 10, 2013 14.8k views
When I ssh into my droplet, it reads out: There were 670 failed login attempts since the last successful login. Is this usual? Am I supposed to be concerned?
Add a comment
roht
By:
roht
Add a comment
1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
4 answers
joshuataylorx December 10, 2013
Change the SSH port, try fail2ban:
https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
How To Protect SSH with fail2ban on Ubuntu 12.04
by Etel Sverdlov
fail2ban provides a way to automatically protect virtual servers from malicious behavior. This tutorial shows you how to install Fail2Ban, copy the Configuration File, configure the fail2ban defaults, and find out how to configure the ssh defaults. This tutorial describes the required steps to set up fail2ban on Ubuntu.
Reply Report
kamaln7 December 10, 2013
I recommend installing fail2ban (see joshuataylorx's link above) and using SSH keys while disabling password authentication: https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2
Reply Report
pablo December 10, 2013
"Is this usual?"

Unfortunately, yes (simply Wikipedia DDoS attacks and Brute Force Attacks).

"Am I supposed to be concerned?

If you care about the data on your cloud server... yes.

Ditto on using SSH keys and disabling password logins. If connecting from a Windows machine, check out How To Create SSH Keys with PuTTY to Connect to a VPS.

A firewall will also come in handy: How to Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.
How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server
by Shaun Lewis
Learn how to setup a firewall with UFW on an Ubuntu / Debian cloud server.
Reply Report
ricardo.parraga February 7, 2014
Q:\ Is this usual?
A:\ It is usual and common on servers facing the internet. These internet facing servers are being scanned for open ports by malicious users everyday all day.

Q:\ Am I supposed to be concerned?
A:\ Yes, you should be concerned as your server might get compromised.

Tip: You can check the Failed login attempts with:
sudo cat /var/log/secure | grep Failed

Reply Report

Looking for something else?

Ask a new question Search for more help