Question

Seems like a brute force SSH attack

Hi all,

looking at my /var/log/auth.log, I noticed an enormous amount of failed SSH login attempts, such as:

error: Could not load host key: /etc/ssh/ssh_host_ed25519_key Nov 30 14:16:37 <HOSTNAME> sshd[23893]: Failed password for root from 103.41.124.32 port 44584 ssh2

The IP address changes every once in a while, but the attempts are lasting for days now, constantly.

Any suggestions as to what I might do about it?

Thanks!

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi

This link -->https://github.com/theMiddleBlue/log2iptables. does not have the script anymore.

May I know the updated link?

This seems to be a very old answer so i apologise in advance, however i assume it will still get viewed.

I have created a tool called PyFilter, which aims to filter out all of the requests that are not legitimate to your server, and blocks them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user configurable amount of time and adding rules to the firewall if too many attempts have been captured, much like fail2ban.

However PyFilter has the ability of cross server ban syncing. Cross server ban syncing allows IP addresses to be banned across multiple servers if this is enabled. For example if IP address X was banned on server Y, and server Z has ban syncing enabled it will blacklist that IP even if that IP has not met the required failed attempts on that server.

PyFilter site PyFilter github

Using fail2ban is a good step to work against this type of traffic. Fail2ban will automatically block IP addresses after a specified number of failed login attempts. You can find a tutorial on setting up fail2ban on your droplet here.