Seems like a brute force SSH attack

December 5, 2014 2.5k views

Hi all,

looking at my /var/log/auth.log, I noticed an enormous amount of failed SSH login attempts, such as:

error: Could not load host key: /etc/ssh/sshhosted25519_key
Nov 30 14:16:37 <HOSTNAME> sshd[23893]: Failed password for root from port 44584 ssh2

The IP address changes every once in a while, but the attempts are lasting for days now, constantly.

Any suggestions as to what I might do about it?


  • Hi,

    there's more then one way to mitigate brute force attack against ssh. Obviously the easiest solution is to block all tcp incoming connections to port 22 with iptables, and accept connections only from your static IP address. But is not always possible.

    I usually change the default ssh port (22 tcp) to another (for example 1122 tcp). This can mitigate all automatic brute force attacks by botnet, but is not enough. A user can discover the new sshd port by a simple port scan.

    For this kind of issue, you need to block dinamically each IP that fails authentication to the sshd. For doing that, i've created a bash script that can automatically drop a brute force attack with iptables (log2iptables). You can find it here: https://github.com/theMiddleBlue/log2iptables.

    A little example:

    Download the script

    cd /usr/local/bin
    git clone https://github.com/theMiddleBlue/log2iptables.git

    Run log2iptables

    cd /usr/local/bin/log2iptables
    ./log2iptables.sh -f /var/log/auth.log -x 1 -r 'sshd.*Failed.password.*from.([0-9\.]+)' -p 1 -l 5

    this will insert a iptables rule that drop all IPs that fail password more than 5 times. You can test it, without insert any rules, removing the -x 1 parameter. You can insert it in crontab and check your auth.log every n time, and receive a notify each time it add a new iptables rule.

    hope this help :)

  • Thanks a million! I've just checked after a while and the situation is the same, so yours is great solution, very helpful and thanks a lot again for your time!

  • i'm glad that it can be useful!
    let me know if you have suggestions ;)


  • theMiddle would you mind helping me out with this? I seem to be having some trouble

  • Wow great solution!

    Added 65 IPs to the tables. Haven't seen a failed auth since.

1 Answer

Using fail2ban is a good step to work against this type of traffic. Fail2ban will automatically block IP addresses after a specified number of failed login attempts. You can find a tutorial on setting up fail2ban on your droplet here.

Have another answer? Share your knowledge.