There were 29400 failed login attempts since the last successful login

ERROR : There were 29400 failed login attempts since the last successful login


 
Last failed login: Sun May 8 01:15:05 EDT 2016 from 115.200.211.32 on ssh:notty
There were 294 failed login attempts since the last successful login.
Last login: Fri May 6 23:53:10 2016 from 115.245.182.144

FIX :

You might see the above warning when you try to SSH to the server from your end. This is a bruteforce attack trying to crack the root password of your server.

Type the below command to find the source of the attack
 

root@server [~]# grep -i Failed /var/log/secure

May 8 01:15:03 server sshd[19526]: Failed password for root from 115.231.219.33 port 3891 ssh2
May 8 01:15:05 server sshd[19526]: Failed password for root from 115.231.219.33 port 3891 ssh2

 
You can see that there are lot of failed login attempts from IP address 115.231.219.33. This attack might be from compromised servers, 115.231.219.33 might be a compromised server.

Check the datacenter of the attacking IP address and contact the abuse department of the datacenter to inform them about the attack. You can find the datacenter of the attacking IP address using the below website.

www.ip2location.com

1. Set a strong root password for your Linux server. Example : Passwords like “fbdfGTYU6#@SW98” will take many years to crack.

2. Change the SSH port number to reduce attack on port 22

Edit the SSH configuration file /etc/ssh/sshd_config to change the port number.

#vi /etc/ssh/sshd_config

Port 6054

# Service sshd restart

Restart the SSH service after changing the server SSH port. Do not forget to allow the port 6054 in the server firewall.

3. Disable permitrootlogin and use sudo or su

Edit the file /etc/ssh/sshd_config to disable root login.

#vi /etc/ssh/sshd_config
PermitRootLogin No
# Service sshd restart

Setup sudo or su to access server root.

4. Use SSH key based authentication instead of direct root login

5. Allow access to the server only from your ISP IP address. Restrict access to the server from all IP address except from your IP address. This can be setup using firewall

6. Install any firewall on the server to block these attacks.