Question

Prevent Brute Force from different ip address every second

Posted November 27, 2020 483 views
SecurityFirewallDigitalOcean Droplets

I think my droplet get brute force attack,
I already tried to use fail2ban by limiting access attempt to 3 times,
But apparently it change IP address after it failed, so fail2ban not prevent it,
And since the ip attacker is really broad, I cant add each ip to iptables too,
Is there any suggestion ?

//==========================================
//This is the auth.log
//==========================================

Nov 23 21:36:08 <droplet name> sshd[14994]: Invalid user cpanel from 179.100.73.144
Nov 23 21:36:08 <droplet name> sshd[14994]: inputuserauthrequest: invalid user cpanel [preauth]
Nov 23 21:36:08 <droplet name> sshd[14994]: error: Could not get shadow information for NOUSER
Nov 23 21:36:08 <droplet name> sshd[14994]: Failed password for invalid user cpanel from 179.100.73.144 port 56056 ssh2
Nov 23 21:36:08 <droplet name> sshd[14994]: Received disconnect from 179.100.73.144 port 56056:11: Bye Bye [preauth]
Nov 23 21:36:08 <droplet name> sshd[14994]: Disconnected from 179.100.73.144 port 56056 [preauth]
Nov 23 21:36:17 <droplet name> sshd[14993]: Received disconnect from 218.92.0.210 port 20852:11: [preauth]
Nov 23 21:36:17 <droplet name> sshd[14993]: Disconnected from 218.92.0.210 port 20852 [preauth]
Nov 23 21:36:18 <droplet name> sshd[14999]: User root password has expired (root forced)
Nov 23 21:36:18 <droplet name> sshd[14999]: Failed password for root from 167.71.235.17 port 58476 ssh2
Nov 23 21:36:18 <droplet name> sshd[14999]: Received disconnect from 167.71.235.17 port 58476:11: Bye Bye [preauth]
Nov 23 21:36:18 <droplet name> sshd[14999]: Disconnected from 167.71.235.17 port 58476 [preauth]

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi @jongxiang,

This is quite common so to say. Bots are trying to get access to your system. What you can do is ban them on let’s say the third attempts whcih they fail. You can use either CSF or Fail2BAN. I know you’ve tried Fail2BAN but it does seem like you haven’t configured it fully.

Anyway, another solution would be to block the SSH port and allow only whitelisted IP addresses to connect to port 22. This would be the better option as noone would be able to connect UNLESS you have allowed their IP address directly on the server.

Regards,
KFSys