Ok so, buddy of mine has his ssh server setup and upon checking his logs he sees a ton of failed attempts.

Now obviously these are people that are scanning him and trying to brute force him.

So is there a way to block them? We know you can block each IP but is there a way to block ALL connections except for certain ones, such as his and mine? Maybe a couple others.

Thanks!

There are a few things you can do to help.

1. Move ssh to a non-standard port (anyting that isn't in use that isn't 22). This would be in /etc/ssh/sshd_config
2. Deny all access on that port, and allow access only to explicitly defined addresses. This can be accomplished via IP tables. CSF (configserver firewall) is a pretty nice frontend for IPtables if you don't want to learn all the syntax.

He uses UFW for a firewall

Ok... then follow the steps using UFW instead.

Besides moving to another port I would suggest that you start using key-authentication for your ssh connections and maybe Port-Knocking.

You should regard this as normal. maybe, in an ideal world, it wouldn't happen, but in this world it does happen, so just be prepared for it.

...not quite so obvious, given that it could be brute force or it could be a dictionary attack, but you probably meant either...

Look here for example, for a good overview of the advantages and disadvantages of different approaches that you could take.

In addition, you could look at things like denyhosts or fail2ban to help iptables to stop repeated attempts as soon as possible (on Linux, the firewall is iptables/netfilter, but there are a large number of 'easy' tools that you can use to aid in its configuration).

BTW, you have to remember that the problem is the risk of an attack succeeding; 'bad' entries in a log file is not a problem, per se (it is an early warning, providing someone looks through the log files and reacts, if appropriate), the risk of someone succeeding is the problem.

You are true, somebody trying to your server for unauthorized login attemots thats why you are getting the failure errors in your log file, and you cant secure your server with a single command. This is a continus and time consuming process.

In quick you can do some things,

Install APF and BFD in your machine and change the SSH port also block the unwanted port range in APF conf.