Should I be concerned with this many login attempts?

While hunting down toher issues with my VPS, I randomly checked auth.log and I see an alarming number of attempted logins with failures.

For example, this guy tried at least 30 times, all with a different port number.

Feb 20 05:41:44 traviselijah sshd[8802]: reverse mapping checking getaddrinfo for 31-xdsl.anitex.by [213.184.241.31] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 05:41:44 traviselijah sshd[8802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.241.31  user=root
Feb 20 05:41:46 traviselijah sshd[8802]: Failed password for root from 213.184.241.31 port 57022 ssh2

7 Replies

This is regular internet noise. It's not a direct attack on you, it's just automated scripting. Ways to mitigate include disabling root login via ssh (or, at least, require ssh keys); move the SSH port to something different; use "fail2ban" or similar to block multiple attempts after a few are detected. Search the forums and you'll find lots of comments :-)

Everyone gets these automated SSH login attempts. You should disable sshd password authentication on internet connected systems.

I once hacked sshd to log the passwords these scripts use. It's all dictionary words, names, and strings like 'letmein' and 'passw0rd'.

OK, then dumb question. I am trying to figure out disabling password ssh attempts using the guides, but for those using putty, it directs you to the putty guide, but it also does not tell me how to create a key to use on my Windows box

http://library.linode.com/securing-your … entication">http://library.linode.com/securing-your-server#sph_using-ssh-key-pair-authentication

And

http://library.linode.com/networking/using-putty

unless I am completely dense and do not understand the other terms used…

Edit: double post mistake

Are you, or a few people, the only ones who need SSH access? We block all ports except http,https,email by the firewall except to approved IPs or dynamic hostnames (because only a few of us need access). So to the rest of the world no one can even get to the login screens/prompts. Our servers are web servers, and it amazes me how unsecure web servers are by default (e.g. everyone in the world can get to a SSH/Control Panel/FTP login screen). We've been hacked because someone knew a way in using the root account in Cpanel file manager. Thats when we decided to block all ports.

You can create a public/private keypair on Windows using puttygen. Pay attention to 8.2.10 - you will need to have the public key in OpenSSH's format to place it in authorized_keys on your Linode.

One of the very first things I did was disable root & password-only logins. Fail2ban helps a bit too.

Also, if you use both Windows and Mac, keep in mind that Putty uses a nonstandard format for the its SSH private keys, and it won't work in Terminal on Mac. To get it to work, you'd need to load the key in puttygen (on Windows), convert it to OpenSSH's format (via Conversions->Export OpenSSH key).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct