Failed login attempts

Portal Home > Knowledgebase > Articles Database > Failed login attempts

Posted by paradipcd, 05-06-2015, 11:54 PM
I have first time purchase a dedicated server and every time when I login through SSH, I am seeing that there are thousand times failed login attempts were done. I don't understand what is going on. Can you please guide me this thing - what is happening?
Posted by Savio13, 05-06-2015, 11:57 PM
Brute force attacks I would assume, where can you see the failed attempts? are you running cPanel ?
Posted by paradipcd, 05-07-2015, 12:21 AM
I am seeing failed attacks in SSH. When I login it says - login as: root root@195.154.1xx.xx's password: Last failed login: Thu May 7 05:48:33 CEST 2015 from 104.130.x.xx on ssh:notty There were 150 failed login attempts since the last successful login. Last login: Thu May 7 05:39:24 2015 from 116.203.146.xxx [root@dedi-fr-22xxx ~]# The server is unmanage and has no Cpanel. Also in SSH when I type command - service iptables status. It says - Redirecting to /bin/systemctl status iptables.service iptables.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) Last edited by paradipcd; 05-07-2015 at 12:26 AM.
Posted by Savio13, 05-07-2015, 12:30 AM
Harden your SSH, use a strong password, disable root login, change ssh port
Posted by PR_Bipul, 05-07-2015, 12:32 AM
You can try changing the default SSH port. Those are probably automated bot attacks. About the IPTables, is it CentOS7 or something new?
Posted by paradipcd, 05-07-2015, 12:37 AM
It is CentOS 7.1 64-bit. Oh! I am giving CentOS 6 command. Will it works?
Posted by jaijop, 05-07-2015, 12:54 AM
Change ssh port. Disable root login. Permit sudo for required users. Block unauthorised ssh access via iptables or tcp wrapper Also you can use sshguard for more security.
Posted by charlesdavis, 05-07-2015, 01:07 AM
No! Please you only need to talk with support of hosting providers only nothing else, they will automatically provides you suggestion for same.
Posted by Savio13, 05-07-2015, 01:25 AM
Please explain, are you saying the suggestions we have given is incorrect?
Posted by krizag, 05-07-2015, 01:31 AM
Install a firewall, bfd. Change default ssh port.
Posted by USHost247-ChrisGrigg, 05-07-2015, 02:00 AM
Install CFS(Config Server Firewall). Harden your server with the recommendations of the firewall and change your ssh port to something different than 22. 22 is default and is used in brute force attack scripts.
Posted by vpsineu, 05-07-2015, 02:46 AM
Install and start iptables and create a rule allowing only your local IP address (or IP address class) to be able to log in. Also disable password login and use SSH key's to access the server.
Posted by techs4gnu, 05-07-2015, 02:50 AM
A few things to be done are 1. Change the ssh port from default one (22 ) to another one like 2865 or 29547 etc 2. If possible disable ssh root pass authentication and use ssh key type auth for root 3. Restrict ssh access to particular IP's which are trusted and static in nature. 4. Install CSF firewall and get is configured well.
Posted by diman, 05-08-2015, 07:26 AM
You are under bruteforce attacks at least to your ssh service, and maybe some other services are also abused (http auth, smtp, etc whatever have password auth) You may significantly reduce your risks by hardening security of your server, like this: - know which of your services are target of attacks: check your server logs in /var/log/ for any attempts to login (not only via ssh). - ensure you have strong enough (16+ chars) passwords - (ssh-specific) ensure you don't have direct root login, only via sudo like mentioned above. Your unprivileged *account name* for ssh should not be one of the common words 'cos hacker's scripts tries not only root. - (ssh-specific) ensure your ssh port is not 22. Choose any number between , lets say, 1025 and 65000. - you should install and configure (not just run service) your iptables firewall so it will allow public access only to public services like http, and restrict access to private services like ssh - (ssh-specific) you firewall allows ssh only from subnet's which you may use. Blocking entire Chine for example subnets will greatly reduce your risks. Requires installation of the GeoIP and configuring firewall. - install and configure bruteforce detection and prevention software like fail2ban <> Last edited by anon-e-mouse; 05-08-2015 at 08:05 AM.
Posted by iserversupport, 05-08-2015, 11:45 AM
Change ssh port and install csf, it is also good to disable direct root logins
Posted by acm_whr, 05-08-2015, 04:23 PM
Change the SSh port number. Enable CPHULKD bruteforce protection. Install CSf and block suspicious IPs if you have. You should be good now.