Hi guys,

linux newbie here.

I get that message every time I log in, and I assume someone is attempting to brute force my root password via SSH.

problem is... I have no idea how to block them. Is there an easy way to auto-block IPs that fail say 3 times in a row?

Sorry if this has been asked. I searched, but likely am using the wrong terms.

fail2ban

That was the kick I needed. Thank you!

I would block root login through ssh altogether, by specifying
PermitRootLogin no (or prohibit-password, which will allow public key login)
in the /etc/ssh/sshd_config file (and restart the ssh daemon).
In recent versions prohibit-password is already the default, so while it doesn't prevent remote systems from trying, they never ever will succeed.

That works perfect. installed quick and easy, configured in a flash and already in the last 60 seconds its banned 2 IPs. Perfect. Thanks again.

Yes, but you provide us with no details; things like version/distro of Linux, what (if any) security is between you and this server/Internet, is this home/office, etc. Best advice would be to edit your /etc/ssh/sshd_config file, and set PermitRootLogin to No, and **NEVER, EVER LOG IN OVER THE NETWORK AS ROOT, PERIOD** That is one of the biggest security errors you can make, and there just isn't a need to do it. Log in as your 'regular' user, and su/sudo **ONLY AS NEEDED**

Running as root allows you to make catastrophic mistakes very easily. And instead of blocking port 22 based on failed login attempts, employ better security methods. Don't run SSH on port 22, and only allow SSH access from a list of addresses using the AllowUsers directive in the /etc/ssh/sshd_config file. Something like
..will let you log in from that address ONLY. Read the sshd_config documentation. But Linux security is like any other system...it's a process. Lots of steps and each vary depending on need and environment.

Personally, I'd set up openVPN, and sidestep the whole issue.

Good advice. I will do that as soon as I am finished configuring things. Thanks.

Not running SSH on port 22 is more of a "security through obscurity" tactic. I would instead recommend using proper firewall rules to only permit traffic from your client IP address in conjunction with AllowUsers. All other suggestions look great, especially the VPN.

Not running ssh on port 22 IS a good idea, IMO. It should be done in addition to the other recommendations.

2 members found this post helpful.

While it may touch on "security through obscurity", it is not, but as scasey pointed out just part of a larger solution. Running well-know, and potentially exploitable services on their default ports gives anyone who looks 'low hanging fruit'. They KNOW what that service is, and identifying it is step one in compromising it. Running it on some other port makes it less likely to be picked up by an automatic port scan.

Moving the port is the first part, followed by firewall/login security/whatever.

3 members found this post helpful.