On 9/21/20 7:52 AM, Logforme wrote:
On 2020-09-21 11:19:20, "Андрей Гвоздев" andrejgvozdev55@gmail.com wrote:
Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too?
Exposing a SSH server to the internet will get you lots of login attempts.
Yes, this is normal for anyone running internet-facing systems, and there are as many mitigations as there are sysadmins.
Here are some things you SHOULD do to help the situation: Change the SSH default port.
Yes, this will lessen the number of entries in the relevant log file until the brute force attackers get more intelligent. Just understand this is not a security measure. It's more like a dose of obscurity to make log files less noisy.
Disable the root login.
+1
Use key-based authentication.
+1
Those are important and vital security measures, as is employing some sort of multi-factor authentication methods like Yubikey. (no, officially key-based SSH auth is not formally MFA...)
But the two ways to actually address the problem is either:
* network or host-based firewalling to limit connections based on the same source, rate, etc., which depends on the operating system you're running.
* there are also tools like fail2ban and so on that are popular.
* if you're running FreeBSD or NetBSD, try Christo's blacklistd. It might be ported to other OSs. If it's not, it should be...
HTH
g