DigitalOcean

Report this

What is the reason for this report?
Question

Seems like a brute force SSH attack

Posted on December 5, 2014
leobudima

By leobudima

Hi all,

looking at my /var/log/auth.log, I noticed an enormous amount of failed SSH login attempts, such as:

error: Could not load host key: /etc/ssh/ssh_host_ed25519_key Nov 30 14:16:37 <HOSTNAME> sshd[23893]: Failed password for root from 103.41.124.32 port 44584 ssh2

The IP address changes every once in a while, but the attempts are lasting for days now, constantly.

Any suggestions as to what I might do about it?

Thanks!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Jason Hall
Jason Hall
November 17, 2017

This seems to be a very old answer so i apologise in advance, however i assume it will still get viewed.

I have created a tool called PyFilter, which aims to filter out all of the requests that are not legitimate to your server, and blocks them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user configurable amount of time and adding rules to the firewall if too many attempts have been captured, much like fail2ban.

However PyFilter has the ability of cross server ban syncing. Cross server ban syncing allows IP addresses to be banned across multiple servers if this is enabled. For example if IP address X was banned on server Y, and server Z has ban syncing enabled it will blacklist that IP even if that IP has not met the required failed attempts on that server.

PyFilter site PyFilter github

0
Ryan Quinn
Ryan QuinnDigitalOcean Employee badge
December 5, 2014

Using fail2ban is a good step to work against this type of traffic. Fail2ban will automatically block IP addresses after a specified number of failed login attempts. You can find a tutorial on setting up fail2ban on your droplet here.

0
scleejune
scleejune
May 9, 2022

Hi

This link -->https://github.com/theMiddleBlue/log2iptables. does not have the script anymore.

May I know the updated link?

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.