Question

Prevent Brute Force from different ip address every second

I think my droplet get brute force attack, I already tried to use fail2ban by limiting access attempt to 3 times, But apparently it change IP address after it failed, so fail2ban not prevent it, And since the ip attacker is really broad, I cant add each ip to iptables too, Is there any suggestion ?

//========================================== //This is the auth.log //==========================================

Nov 23 21:36:08 <droplet name> sshd[14994]: Invalid user cpanel from 179.100.73.144 Nov 23 21:36:08 <droplet name> sshd[14994]: input_userauth_request: invalid user cpanel [preauth] Nov 23 21:36:08 <droplet name> sshd[14994]: error: Could not get shadow information for NOUSER Nov 23 21:36:08 <droplet name> sshd[14994]: Failed password for invalid user cpanel from 179.100.73.144 port 56056 ssh2 Nov 23 21:36:08 <droplet name> sshd[14994]: Received disconnect from 179.100.73.144 port 56056:11: Bye Bye [preauth] Nov 23 21:36:08 <droplet name> sshd[14994]: Disconnected from 179.100.73.144 port 56056 [preauth] Nov 23 21:36:17 <droplet name> sshd[14993]: Received disconnect from 218.92.0.210 port 20852:11: [preauth] Nov 23 21:36:17 <droplet name> sshd[14993]: Disconnected from 218.92.0.210 port 20852 [preauth] Nov 23 21:36:18 <droplet name> sshd[14999]: User root password has expired (root forced) Nov 23 21:36:18 <droplet name> sshd[14999]: Failed password for root from 167.71.235.17 port 58476 ssh2 Nov 23 21:36:18 <droplet name> sshd[14999]: Received disconnect from 167.71.235.17 port 58476:11: Bye Bye [preauth] Nov 23 21:36:18 <droplet name> sshd[14999]: Disconnected from 167.71.235.17 port 58476 [preauth]


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi @jongxiang,

This is quite common so to say. Bots are trying to get access to your system. What you can do is ban them on let’s say the third attempts whcih they fail. You can use either CSF or Fail2BAN. I know you’ve tried Fail2BAN but it does seem like you haven’t configured it fully.

Anyway, another solution would be to block the SSH port and allow only whitelisted IP addresses to connect to port 22. This would be the better option as noone would be able to connect UNLESS you have allowed their IP address directly on the server.

Regards, KFSys