On Mon, November 27, 2017 1:22 pm, Mark Haney wrote: > On 11/27/2017 12:10 PM, Jerry Geis wrote: >> hi All, >> >> I happened to login to one of my servers today and saw 96000 failed >> login >> attempts. shown below is the address its coming from. I added it to my >> firewall to drop. >> >> Failed password for root from 123.183.209.135 port 14299 ssh2 >> >> FYI - others might be seeing it also. >> > You're going to see this probably quite a lot on a server that has port > 22 open to the world. All the linux boxes I have internet accessible > have a couple of things setup to prevent a lot of that: > > Lock down SSH to accept only login requests from one IP (or a range, but > I prefer a single IP most of the time if I can manage it). > Use a non-standard SSH port (and not a variation like 2222 All ports above 1023 on UNIX and Linux systems can be opened by regular user, without requiring root access to the machine. Therefore, this always was considered potential security risk. One more comment about obscuring ssh service by running it on non-standard port (e.g. any port but 22). In my book this constitutes "security by obscurity", which all my sysadmin colleagues were considering "windows - like" way of dealing with problems. (Think about pushing the trash on the floor under carpet). > or some such, > just make sure you remember what it is). > Fail2ban is your friend. > > Seriously though, Fail2Ban is simply amazing. Exactly. And some other measures already mentioned in this thread (sshguard, iptables rulesets, ...) Valeri > It will block IPs using > IPtables without needing to write your own rules. Will email you a log > if you like. And will generally help you sleep better at night. I've > got a couple of web servers that I have running Fail2Ban with a maximum > of 3 failed logins and once that's reached, the IP is blocked for a > week. An hour just won't cut it nowadays, IMHO. It's pretty trivial to > setup and uses very little in resources. > > -- > Mark Haney > Network Engineer at NeoNova > 919-460-3330 option 1 > mark.haney@xxxxxxxxxxx > www.neonova.net > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos