I'm getting these quite frequently in my /var/log/secure.log:
Nov 5 10:50:49 www sshd[775]: reverse mapping checking getaddrinfo for 124.107.32.54.pldt.net [124.107.32.54] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov 5 10:50:49 www sshd[775]: Invalid user weber from 124.107.32.54
Nov 5 10:51:18 www sshd[802]: Invalid user weblogic from 66.178.48.196
Nov 5 10:51:56 www sshd[826]: reverse mapping checking getaddrinfo for gw-baneasa-v422.comtelnetworks.eu [193.230.208.98] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov 5 10:51:56 www sshd[826]: Invalid user webmail from 193.230.208.98
Nov 5 10:52:22 www sshd[860]: Invalid user webmail from 150.214.102.129
Nov 5 10:53:29 www sshd[905]: Invalid user webmaster from 195.205.203.6
Nov 5 10:53:57 www sshd[928]: Invalid user webmaster from 86.101.90.21
Nov 5 10:54:29 www sshd[943]: Invalid user webservd from 151.118.130.225
I've disabled all forms of SSH authentication except for publickey so I don't think they'll find a way in. But should I be more worried about this?
- Is there a way I can prevent this from happening or is my website just now becoming popular?
- Can I setup a firewall on the server to block failed login attempts? The attack appears to be distributed; each attempt is coming from a different IP.
Best Answer
A nice alternative to moving your SSH port is to use something like Blockhosts. It's a python script that scans your log files (usually /var/log/auth.log) for these kinds of things, and puts dynamic entries into /etc/hosts.allow to block people doing brute force scanning. I use it to good effect on my SSH and vsftpd installs to blacklist people after 5 incorrect passwords in a row.