Login Attempts: Is this usual?

December 10, 2013 10.8k views
rohit.sprasad+digitalocean
By:
rohit.sprasad+digitalocean
When I ssh into my droplet, it reads out: There were 670 failed login attempts since the last successful login. Is this usual? Am I supposed to be concerned?
1 comment
Log In to Comment
4 Answers
joshuataylorx December 10, 2013
Change the SSH port, try fail2ban:
https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
How To Protect SSH with fail2ban on Ubuntu 12.04
by Etel Sverdlov
fail2ban provides a way to automatically protect virtual servers from malicious behavior. This tutorial shows you how to install Fail2Ban, copy the Configuration File, configure the fail2ban defaults, and find out how to configure the ssh defaults. This tutorial describes the required steps to set up fail2ban on Ubuntu.
Reply
kamaln7 MOD December 10, 2013
I recommend installing fail2ban (see joshuataylorx's link above) and using SSH keys while disabling password authentication: https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2
How To Set Up SSH Keys
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
Reply
pablo December 10, 2013
"Is this usual?"

Unfortunately, yes (simply Wikipedia DDoS attacks and Brute Force Attacks).

"Am I supposed to be concerned?

If you care about the data on your cloud server... yes.

Ditto on using SSH keys and disabling password logins. If connecting from a Windows machine, check out How To Create SSH Keys with PuTTY to Connect to a VPS.

A firewall will also come in handy: How to Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.
How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server
by Shaun Lewis
Learn how to setup a firewall with UFW on an Ubuntu / Debian cloud server.
Reply
ricardo.parraga February 7, 2014
Q:\ Is this usual?
A:\ It is usual and common on servers facing the internet. These internet facing servers are being scanned for open ports by malicious users everyday all day.

Q:\ Am I supposed to be concerned?
A:\ Yes, you should be concerned as your server might get compromised.

Tip: You can check the Failed login attempts with:
sudo cat /var/log/secure | grep Failed

Reply
Have another answer? Share your knowledge.