Setting up a new VPS, help with security

Forum Moderators: phranque

Message Too Old, No Replies

Setting up a new VPS, help with security

csdude55

5:44 am on Dec 5, 2020 (gmt 0)

As I'm working to set up my new VPS, I've made a rather disturbing discovery. There are literally THOUSANDS of failed SSH login attempts, daily!

When I logged in earlier today, SSH said:

Last failed login: Fri Dec 4 17:19:03 EST 2020 from 123.45.67.89 on ssh:notty
There were 10514 failed login attempts since the last successful login.
Last login: Fri Dec 4 01:59:54 2020 from 172.106.10.130

That's 10,000 login attempts in about 15 hours :-O I'm only guessing that the previous owner had 0 security or something.

The VPS is using CentOS 7.9. I've installed ConfigServer Firewall, and used CC_ALLOW_FILTER to limit all connections to country codes US,MP,PR. And I'm about to change the SSH port.

Any other suggestions on what I might do to stop those login attempts? My old VPS rarely had any attacks like this, so 10,000 in 15 hours is... scary.

dstiles

10:13 am on Dec 5, 2020 (gmt 0)

That put me off ssh for a windows box. Only when I set up a Mint VPS on windows did I really look into it again. Secret is to NOT use the default port, but to select something obscure in the 1000's. And obviously block the default port 22. Can't do without it now. :)

JorgeV

10:50 am on Dec 5, 2020 (gmt 0)

Hello,

You can't prevent "attempts", port scanning and so on are as old as the Internet,

All you can do is to make these attempts, remain attempts

Beside changing SSH port number, you should (must) disable password authentication and replace it with Public Key authentication.

graeme_p

2:41 pm on Dec 10, 2020 (gmt 0)

You can do the following:

1. port knocking to hide the port
2. change ssh port - but some will find it anyway
3. disable root login or make it key only - this is the easiest.
4. disable password auth altogether - key auth is convenient once setup
5. use failtoban or similar to lockout anyone who tries to login repeatedly - beware at least one bit of software has triggered this wrongly for me by auto retrying a failed password
6. Use the firewall to restrict ssh specific IPs

Probably a lot of other options.