Question
Prevent Brute Force from different ip address every second
I think my droplet get brute force attack,
I already tried to use fail2ban by limiting access attempt to 3 times,
But apparently it change IP address after it failed, so fail2ban not prevent it,
And since the ip attacker is really broad, I cant add each ip to iptables too,
Is there any suggestion ?
//==========================================
//This is the auth.log
//==========================================
Nov 23 21:36:08 <droplet name> sshd[14994]: Invalid user cpanel from 179.100.73.144
Nov 23 21:36:08 <droplet name> sshd[14994]: inputuserauthrequest: invalid user cpanel [preauth]
Nov 23 21:36:08 <droplet name> sshd[14994]: error: Could not get shadow information for NOUSER
Nov 23 21:36:08 <droplet name> sshd[14994]: Failed password for invalid user cpanel from 179.100.73.144 port 56056 ssh2
Nov 23 21:36:08 <droplet name> sshd[14994]: Received disconnect from 179.100.73.144 port 56056:11: Bye Bye [preauth]
Nov 23 21:36:08 <droplet name> sshd[14994]: Disconnected from 179.100.73.144 port 56056 [preauth]
Nov 23 21:36:17 <droplet name> sshd[14993]: Received disconnect from 218.92.0.210 port 20852:11: [preauth]
Nov 23 21:36:17 <droplet name> sshd[14993]: Disconnected from 218.92.0.210 port 20852 [preauth]
Nov 23 21:36:18 <droplet name> sshd[14999]: User root password has expired (root forced)
Nov 23 21:36:18 <droplet name> sshd[14999]: Failed password for root from 167.71.235.17 port 58476 ssh2
Nov 23 21:36:18 <droplet name> sshd[14999]: Received disconnect from 167.71.235.17 port 58476:11: Bye Bye [preauth]
Nov 23 21:36:18 <droplet name> sshd[14999]: Disconnected from 167.71.235.17 port 58476 [preauth]
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×