Seems like a brute force SSH attack

Posted December 5, 2014 10.6k views

Hi all,

looking at my /var/log/auth.log, I noticed an enormous amount of failed SSH login attempts, such as:

error: Could not load host key: /etc/ssh/sshhosted25519_key
Nov 30 14:16:37 <HOSTNAME> sshd[23893]: Failed password for root from port 44584 ssh2

The IP address changes every once in a while, but the attempts are lasting for days now, constantly.

Any suggestions as to what I might do about it?


  • Hi,

    there’s more then one way to mitigate brute force attack against ssh. Obviously the easiest solution is to block all tcp incoming connections to port 22 with iptables, and accept connections only from your static IP address. But is not always possible.

    I usually change the default ssh port (22 tcp) to another (for example 1122 tcp). This can mitigate all automatic brute force attacks by botnet, but is not enough. A user can discover the new sshd port by a simple port scan.

    For this kind of issue, you need to block dinamically each IP that fails authentication to the sshd. For doing that, i’ve created a bash script that can automatically drop a brute force attack with iptables (log2iptables). You can find it here:

    A little example:

    Download the script

    cd /usr/local/bin
    git clone

    Run log2iptables

    cd /usr/local/bin/log2iptables
    ./ -f /var/log/auth.log -x 1 -r 'sshd.*Failed.password.*from.([0-9\.]+)' -p 1 -l 5

    this will insert a iptables rule that drop all IPs that fail password more than 5 times. You can test it, without insert any rules, removing the -x 1 parameter. You can insert it in crontab and check your auth.log every n time, and receive a notify each time it add a new iptables rule.

    hope this help :)

  • Thanks a million! I’ve just checked after a while and the situation is the same, so yours is great solution, very helpful and thanks a lot again for your time!

  • i’m glad that it can be useful!
    let me know if you have suggestions ;)


  • theMiddle would you mind helping me out with this? I seem to be having some trouble

  • Wow great solution!

    Added 65 IPs to the tables. Haven’t seen a failed auth since.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Using fail2ban is a good step to work against this type of traffic. Fail2ban will automatically block IP addresses after a specified number of failed login attempts. You can find a tutorial on setting up fail2ban on your droplet here.

This seems to be a very old answer so i apologise in advance, however i assume it will still get viewed.

I have created a tool called PyFilter, which aims to filter out all of the requests that are not legitimate to your server, and blocks them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user configurable amount of time and adding rules to the firewall if too many attempts have been captured, much like fail2ban.

However PyFilter has the ability of cross server ban syncing. Cross server ban syncing allows IP addresses to be banned across multiple servers if this is enabled. For example if IP address X was banned on server Y, and server Z has ban syncing enabled it will blacklist that IP even if that IP has not met the required failed attempts on that server.

PyFilter site
PyFilter github