Why do we get a high number of failed login between SSH sessions?

We have a couple of Ubuntu 16.04 server and noticed that when we create a SSH session in the morning that there were thousands of failed login attempts since the day before. Even after minutes between sessions there are already several dozen failed login attempts reported. I can confirm that nobody in our organisation did even attempt to log on to the droplet during that period.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

it’s automated login attempts. Like above I’d suggest using Key Authentication for SSH logins

As well as installing “Fail2Ban”

sudo apt-get install fail2ban

Its a program that looks at your log files and whenever it sees a certain number of failed login attempts it will ban the IP address for a set amount of time.

It’s in most Linux repos as standard and will look for failed SSH logins out of the box so not configuration is required.

You can set it to monitor other services on your server from failed login attempts but SSH should be the only one you require.

For more info here is the programs wiki :

Because automated bots usually try weak passwords to break into servers.

There’s no reason to prevent this, but it’s why you must use strong passwords and preferably SSH key authentication.

Move your sshd service to listen on a non standard port. It’ll be no more (or less) secure but it gets rid of the endless log entries caused by the automated bots trying to brute their way into anything they can find on any server running on the standard port.

If you start seeing numerous failed attempts on your non standard port, that could be a cause for concern.

As above set Key Auth only for ssh and disable root ssh access. Most bots seem to try to brute force ssh on port 22 with a username of root and look for password auth. So taking away the password factor, the root factor and the port factor - you’ll probably find you end up with zero failed attempts.