Why do we get a high number of failed login between SSH sessions?

Posted September 4, 2016 6.6k views
Linux BasicsUbuntu

We have a couple of Ubuntu 16.04 server and noticed that when we create a SSH session in the morning that there were thousands of failed login attempts since the day before. Even after minutes between sessions there are already several dozen failed login attempts reported. I can confirm that nobody in our organisation did even attempt to log on to the droplet during that period.

1 comment
  • Hi good day
    I wanted to ask if you already solved the constant disconnection that you presented, as I also have it. Validated in webmin and find that Squid - Proxy Server stops automatically.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
4 answers

Because automated bots usually try weak passwords to break into servers.

There’s no reason to prevent this, but it’s why you must use strong passwords and preferably SSH key authentication.

it’s automated login attempts.
Like above I’d suggest using Key Authentication for SSH logins

As well as installing “Fail2Ban”

sudo apt-get install fail2ban

Its a program that looks at your log files and whenever it sees a certain number of failed login attempts it will ban the IP address for a set amount of time.

It’s in most Linux repos as standard and will look for failed SSH logins out of the box so not configuration is required.

You can set it to monitor other services on your server from failed login attempts but SSH should be the only one you require.

For more info here is the programs wiki :

I would suggest using fwknop/knock and close the ssh port from the outside world.

Move your sshd service to listen on a non standard port. It’ll be no more (or less) secure but it gets rid of the endless log entries caused by the automated bots trying to brute their way into anything they can find on any server running on the standard port.

If you start seeing numerous failed attempts on your non standard port, that could be a cause for concern.

As above set Key Auth only for ssh and disable root ssh access. Most bots seem to try to brute force ssh on port 22 with a username of root and look for password auth. So taking away the password factor, the root factor and the port factor - you’ll probably find you end up with zero failed attempts.