My server is constantly being attacked

Welcome to the wonderful world of the Internet... Have you:

  • put your server behind a hardware firewall?
  • activated the software firewall? (just in case the HW firewall glitches)
  • hardened your server?
  • installed rkhunter before putting it online?
  • activated automatic daily security updates?
  • changed the default port of ssh?
  • ...

But the real answer is: Yes, this is normal: the BotNet Maffia can always use a few extra badly protected servers...


It is fairly normal to have login tryouts enough to make a flooding log.

Changing SSH ports is more of a 'security by obscurity' type of solution, but it helps with the flood. I stress it's not very elegant; there are de-facto ports for services for a reason.

As it should be on by default, but ensure you cannot SSH into your server as root. It's the username that's fairly consistent among servers and thus the prime target for password brute force login attempts. Enforce the setting with the following line in sshd_config:

PermitRootLogin no

Also look into fail2ban that monitors sshd logs for repeat offenders. For instance, 5 failed logins in 3 minutes from a certain IP would get that IP blocked for 10 minutes. I increased that ban time to 24 hours to further reduce the log spam -- successfully. :)


I would suggest you to do a few things:

  1. Change the port ssh is listening at (to something far above 1024) and make sure you use no version 1 of the protocol:

/etc/ssh/sshd_config

# What ports, IPs and protocols we listen for
Port 50022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
  1. Instal fail2ban - it monitors log files and temporarily or persistently bans failure-prone addresses by updating existing firewall rules (iptables).

  2. Make sure you white-listed your trusted locations.

Tags:

Security

Ssh