there were ### failed login attempts since your last successful login...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I get that message every time I log in, and I assume someone is attempting to brute force my root password via SSH.
I would block root login through ssh altogether, by specifying
PermitRootLogin no (or prohibit-password, which will allow public key login)
in the /etc/ssh/sshd_config file (and restart the ssh daemon).
In recent versions prohibit-password is already the default, so while it doesn't prevent remote systems from trying, they never ever will succeed.
Last edited by ehartman; 12-04-2018 at 10:36 AM.
Reason: small expansion
I get that message every time I log in, and I assume someone is attempting to brute force my root password via SSH. problem is... I have no idea how to block them. Is there an easy way to auto-block IPs that fail say 3 times in a row? Sorry if this has been asked. I searched, but likely am using the wrong terms.
Yes, but you provide us with no details; things like version/distro of Linux, what (if any) security is between you and this server/Internet, is this home/office, etc. Best advice would be to edit your /etc/ssh/sshd_config file, and set PermitRootLogin to No, and **NEVER, EVER LOG IN OVER THE NETWORK AS ROOT, PERIOD** That is one of the biggest security errors you can make, and there just isn't a need to do it. Log in as your 'regular' user, and su/sudo **ONLY AS NEEDED**
Running as root allows you to make catastrophic mistakes very easily. And instead of blocking port 22 based on failed login attempts, employ better security methods. Don't run SSH on port 22, and only allow SSH access from a list of addresses using the AllowUsers directive in the /etc/ssh/sshd_config file. Something like
Code:
AllowUsers user@10.11.12.13
..will let you log in from that address ONLY. Read the sshd_config documentation. But Linux security is like any other system...it's a process. Lots of steps and each vary depending on need and environment.
Personally, I'd set up openVPN, and sidestep the whole issue.
I would block root login through ssh altogether, by specifying
PermitRootLogin no (or prohibit-password, which will allow public key login)
in the /etc/ssh/sshd_config file (and restart the ssh daemon).
In recent versions prohibit-password is already the default, so while it doesn't prevent remote systems from trying, they never ever will succeed.
Good advice. I will do that as soon as I am finished configuring things. Thanks.
Not running SSH on port 22 is more of a "security through obscurity" tactic. I would instead recommend using proper firewall rules to only permit traffic from your client IP address in conjunction with AllowUsers. All other suggestions look great, especially the VPN.
Not running SSH on port 22 is more of a "security through obscurity" tactic. I would instead recommend using proper firewall rules to only permit traffic from your client IP address in conjunction with AllowUsers. All other suggestions look great, especially the VPN.
While it may touch on "security through obscurity", it is not, but as scasey pointed out just part of a larger solution. Running well-know, and potentially exploitable services on their default ports gives anyone who looks 'low hanging fruit'. They KNOW what that service is, and identifying it is step one in compromising it. Running it on some other port makes it less likely to be picked up by an automatic port scan.
Moving the port is the first part, followed by firewall/login security/whatever.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.