There were 29400 failed login attempts since the last successful login
ERROR : There were 29400 failed login attempts since the last successful login
Last failed login: Sun May 8 01:15:05 EDT 2016 from 115.200.211.32 on ssh:notty
There were 294 failed login attempts since the last successful login.
Last login: Fri May 6 23:53:10 2016 from 115.245.182.144
FIX :
You might see the above warning when you try to SSH to the server from your end. This is a bruteforce attack trying to crack the root password of your server.
Type the below command to find the source of the attack
May 8 01:15:03 server sshd[19526]: Failed password for root from 115.231.219.33 port 3891 ssh2
May 8 01:15:05 server sshd[19526]: Failed password for root from 115.231.219.33 port 3891 ssh2
You can see that there are lot of failed login attempts from IP address 115.231.219.33. This attack might be from compromised servers, 115.231.219.33 might be a compromised server.
Check the datacenter of the attacking IP address and contact the abuse department of the datacenter to inform them about the attack. You can find the datacenter of the attacking IP address using the below website.
www.ip2location.com
1. Set a strong root password for your Linux server. Example : Passwords like “fbdfGTYU6#@SW98” will take many years to crack.
2. Change the SSH port number to reduce attack on port 22
Edit the SSH configuration file /etc/ssh/sshd_config to change the port number.
#vi /etc/ssh/sshd_config
Port 6054
# Service sshd restart
Restart the SSH service after changing the server SSH port. Do not forget to allow the port 6054 in the server firewall.
3. Disable permitrootlogin and use sudo or su
Edit the file /etc/ssh/sshd_config to disable root login.
#vi /etc/ssh/sshd_config
PermitRootLogin No
# Service sshd restart
Setup sudo or su to access server root.
4. Use SSH key based authentication instead of direct root login
5. Allow access to the server only from your ISP IP address. Restrict access to the server from all IP address except from your IP address. This can be setup using firewall
6. Install any firewall on the server to block these attacks.