On Mon, November 27, 2017 1:02 pm, m.roth@xxxxxxxxx wrote: > Pete Biggs wrote: >> On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote: >>> hi All, >>> >>> I happened to login to one of my servers today and saw 96000 failed >>> login attempts. shown below is the address its coming from. I added it > to my >>> firewall to drop. >>> >>> Failed password for root from 123.183.209.135 port 14299 ssh2 >>> >>> FYI - others might be seeing it also. >>> >> As others have said, it's normal: dictionary based brute forcing of >> root; and no surprise that that IP is based in China. Welcome to the >> Internet. > > As opposed to, say, Brazil (yes, for some reason, a lot hit us from > there). (In addition to what others mentioned) I see a lot originating from Russia, Romania, India, Japan. (one might be surprised about the Japan, but I figure, they do not use much of professional sysadmins, as people on average are very smart there... hence the net result ;-) Valeri >> >> Primarily you need to make sure your root password is strong so it >> isn't vulnerable to this sort of attack. If it is, then the most nasty >> thing about this sort of thing is that your logs fill up. >> >> For your sanity then you can do the following: >> >> - disallow ssh root logins by password (login as an unprivileged user >> or use keys) > > If you're not doing the above, you should start doing that... about 10 > years ago. Disallow root login except via keys this very minute, and do it > everywhere. >> >> - run something like fail2ban which will block a host for a >> predetermined amount of time after a number of failures. > > We've been running fail2ban at work for a good bunch of years, and I run > it at home. It's good, and std. repo. >> >> - don't run ssh on 22, use a different port. (Things get a lot >> quieter when you do that, but it comes with it's own problems and don't >> get complacent because someone will find the port eventually.) > > I consider that pointless security-through-obscurity. >> >> - if you only have a limited number of hosts or subnets logging in to >> your machine, adjust the firewall so that only they are allowed >> through. > > Yep. And iptables rules are not that big a deal to write. > > mark > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos