Dear guys, I am now on my server with SSH and get the message during login: ... Last failed login: Sat Feb 24 14:22:47 EST 2018 from 5.188.10.179 on ssh:notty There were 1343 failed login attempts since the last successful login. ... This simple relay (no exit) is online since less days. Location Moldavia / Trabia Network; VPS Is this amount of attacks regular? In the past i had a log file of 12MB on an other server - all failed logins. It is not a problem. It is only for my feeling "Ok, That's right!". Nickname node49c Olaf
On 02/24/2018 08:36 PM, Olaf Grimm wrote:
I am now on my server with SSH and get the message during login: Choose another port for SSH login and close all in-ports except ssh, ORPort and DirPort.
Configure it in /etc/ssh/sshd_config (eg.: "Port 12345") and for convenience define this in your local ~/.ssh/config too, eg.:# Host <your ip address> <your public dns hostname> IdentityFile=~/.ssh/<your private key file> Port 12345 -- Toralf PGP C4EACDDE 0076E94E
Hi Olaf, SSH brute force attacks are commonplace on any internet facing server with port 22 open. You have a number of countermeasure options: 1) install fail2ban which will block anyone who fails a login 3 times 2) move SSH to a non standard port (preferably >1000) 3) reconfigure SSH to only allow login with keys instead of passwords - generate and successfully test login with a key first before you set this option 4) change the firewall to only allow logins from a specified IP address (yours if you have a static IP) I recommend if you can that you implement all of these measures as they will improve your security and stop the attacks filling up your logfiles. S On February 24, 2018 7:36:16 PM UTC, Olaf Grimm <jeep665@posteo.de> wrote:
-- Spiros Andreou
On 02/24/2018 09:54 PM, Spiros Andreou wrote: [snip]
1) Or else use SSHGuard which is a little easier. I think fail2ban did catch up with IPv6 support, which might or might not be relevant. 2) That quiets the logs for a while. But even when you are found again there won't be nearly as many attackers 3) Using keys and prohibiting passwords is probably the single most useful thing to make sure of here. It's also very easy. 4) Locking the firewall to accept incoming from only specific IP addresses isn't good if one moves around. On 02/24/2018 09:36 PM, Olaf Grimm wrote: [snip]
Is this amount of attacks regular? [snip]
When I ran a middle relay, it was constantly scanned quite heavily and not just for SSH services. My 2 cents. /Lars
participants (6)
-
Lars Noodén -
Olaf Grimm -
Santiago R.R. -
Spiros Andreou -
Toralf Förster -
TorGate