Pete Biggs wrote: > On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote: >> hi All, >> >> I happened to login to one of my servers today and saw 96000 failed >> login attempts. shown below is the address its coming from. I added it to my >> firewall to drop. >> >> Failed password for root from 123.183.209.135 port 14299 ssh2 >> >> FYI - others might be seeing it also. >> > As others have said, it's normal: dictionary based brute forcing of > root; and no surprise that that IP is based in China. Welcome to the > Internet. As opposed to, say, Brazil (yes, for some reason, a lot hit us from there). > > Primarily you need to make sure your root password is strong so it > isn't vulnerable to this sort of attack. If it is, then the most nasty > thing about this sort of thing is that your logs fill up. > > For your sanity then you can do the following: > > - disallow ssh root logins by password (login as an unprivileged user > or use keys) If you're not doing the above, you should start doing that... about 10 years ago. Disallow root login except via keys this very minute, and do it everywhere. > > - run something like fail2ban which will block a host for a > predetermined amount of time after a number of failures. We've been running fail2ban at work for a good bunch of years, and I run it at home. It's good, and std. repo. > > - don't run ssh on 22, use a different port. (Things get a lot > quieter when you do that, but it comes with it's own problems and don't > get complacent because someone will find the port eventually.) I consider that pointless security-through-obscurity. > > - if you only have a limited number of hosts or subnets logging in to > your machine, adjust the firewall so that only they are allowed > through. Yep. And iptables rules are not that big a deal to write. mark _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos