I'm running a CentOS 6.3 server and currently receive emails entitled "Large Number of Failed Login Attempts from IP" from my server every 15 minutes or so.
Surely with the below configured it should mean only the person using the (my static ip) should be able to even try and log in?
If that's the case where are these remote unknown users trying to log into which is generating these emails?
Current Security Steps:
- root login is only allowed
without-password StrictModes yes- SSH password login is disabled –
PasswordAuthentication no - SSH public keys are used
- SSH port has been changed to a number greater than 40k
- cPHulk is configured and running
- Logins limited to specific ip address
- cPanel and WHM limited to my static ip only
sshd_config
user@static.ip.address
hosts.allow
ALL : <Static IP>
hosts.deny
ALL : ALL
iptables
iptables -I INPUT -s <Static IP> -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 22 -j REJECT
Best Answer
What I would do is use Fail2Ban & point it to your ssh log file. That way if you get a specified number of failed attempts from the same IP's, fail2ban automatically adds a firewall rule to drop packets from those IP's for a period of time you specify.