Question
Seems like a brute force SSH attack
Hi all,
looking at my /var/log/auth.log, I noticed an enormous amount of failed SSH login attempts, such as:
error: Could not load host key: /etc/ssh/sshhosted25519_key
Nov 30 14:16:37 <HOSTNAME> sshd[23893]: Failed password for root from 103.41.124.32 port 44584 ssh2
The IP address changes every once in a while, but the attempts are lasting for days now, constantly.
Any suggestions as to what I might do about it?
Thanks!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Hi,
there’s more then one way to mitigate brute force attack against ssh. Obviously the easiest solution is to block all tcp incoming connections to port 22 with iptables, and accept connections only from your static IP address. But is not always possible.
I usually change the default ssh port (22 tcp) to another (for example 1122 tcp). This can mitigate all automatic brute force attacks by botnet, but is not enough. A user can discover the new sshd port by a simple port scan.
For this kind of issue, you need to block dinamically each IP that fails authentication to the sshd. For doing that, i’ve created a bash script that can automatically drop a brute force attack with iptables (log2iptables). You can find it here: https://github.com/theMiddleBlue/log2iptables.
A little example:
Download the script
Run log2iptables
this will insert a iptables rule that drop all IPs that fail password more than 5 times. You can test it, without insert any rules, removing the
-x 1
parameter. You can insert it in crontab and check your auth.log every n time, and receive a notify each time it add a new iptables rule.hope this help :)
bye!
Thanks a million! I’ve just checked after a while and the situation is the same, so yours is great solution, very helpful and thanks a lot again for your time!
i’m glad that it can be useful!
let me know if you have suggestions ;)
bye!
theMiddle would you mind helping me out with this? I seem to be having some trouble
Wow great solution!
Added 65 IPs to the tables. Haven’t seen a failed auth since.