On 11/27/2017 12:10 PM, Jerry Geis wrote:
hi All,
I happened to login to one of my servers today and saw 96000 failed login
attempts. shown below is the address its coming from. I added it to my
firewall to drop.
Failed password for root from 123.183.209.135 port 14299 ssh2
FYI - others might be seeing it also.
You're going to see this probably quite a lot on a server that has port
22 open to the world. All the linux boxes I have internet accessible
have a couple of things setup to prevent a lot of that:
Lock down SSH to accept only login requests from one IP (or a range, but
I prefer a single IP most of the time if I can manage it).
Use a non-standard SSH port (and not a variation like 2222 or some such,
just make sure you remember what it is).
Fail2ban is your friend.
Seriously though, Fail2Ban is simply amazing. It will block IPs using
IPtables without needing to write your own rules. Will email you a log
if you like. And will generally help you sleep better at night. I've
got a couple of web servers that I have running Fail2Ban with a maximum
of 3 failed logins and once that's reached, the IP is blocked for a
week. An hour just won't cut it nowadays, IMHO. It's pretty trivial to
setup and uses very little in resources.
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney@xxxxxxxxxxx
www.neonova.net
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
