If you see excessive login attempts to your server since you last logged in, then it’s easy to get freaked out. When you login to your server and look into the matter, you’re likely to see the following message:
There were X failed login attempts since the last successful login
Some users have reported of over 1,000 failed login attempts!
Why This Happens?
You may be wondering why there are so many failed login attempts. There’s a simple reason for that. There are several automated software or bots which continuously scan the internet for vulnerable sites. They launch brute force attacks on any open service available and try to sneak it. So if you see so many failed attempts, it’s perhaps because your SSH endpoint was attacked by one of these malware programs. But SSH is not the only endpoint the hackers target. The most scanned ports for exploitation are 22, 23, 445, and 3389. In general, the scans are there in place for almost every port out there.
How to Fix This?
The best protection against these unwanted scans and login attempts is to use a strong firewall. A firewall will block all connections by default and allow only the IP addresses listed by the user.
In case you use a wide range of IP addresses which aren’t fixed, you can change the port. Move on from the default assigned port number to something like 41935. It won’t prevent the scans but will reduce the number.
Another way to prevent these attacks is to disable password authentication and use SSH keys. It’d mean no one can brute force into your server. To further strengthen the defense, add a strong encryption password for the private keys.
Some admins have gone beyond software and adopted hardware for authentication purposes. You can use a hardware key like yubikey. So any attempts to access the server will be futile without this physical touch.
These are some of the ways you can avoid the login attempts made by hackers. In conclusion, don’t get nervous when you see so many attempts made in your absence. Its normal to face brute force attacks. Setting up strong passwords and firewall is the best way to prevent these types of attacks.
There were X failed login attempts since the last successful login
Some users have reported of over 1,000 failed login attempts!
Why This Happens?
You may be wondering why there are so many failed login attempts. There’s a simple reason for that. There are several automated software or bots which continuously scan the internet for vulnerable sites. They launch brute force attacks on any open service available and try to sneak it. So if you see so many failed attempts, it’s perhaps because your SSH endpoint was attacked by one of these malware programs. But SSH is not the only endpoint the hackers target. The most scanned ports for exploitation are 22, 23, 445, and 3389. In general, the scans are there in place for almost every port out there.
How to Fix This?
The best protection against these unwanted scans and login attempts is to use a strong firewall. A firewall will block all connections by default and allow only the IP addresses listed by the user.
In case you use a wide range of IP addresses which aren’t fixed, you can change the port. Move on from the default assigned port number to something like 41935. It won’t prevent the scans but will reduce the number.
Another way to prevent these attacks is to disable password authentication and use SSH keys. It’d mean no one can brute force into your server. To further strengthen the defense, add a strong encryption password for the private keys.
Some admins have gone beyond software and adopted hardware for authentication purposes. You can use a hardware key like yubikey. So any attempts to access the server will be futile without this physical touch.
These are some of the ways you can avoid the login attempts made by hackers. In conclusion, don’t get nervous when you see so many attempts made in your absence. Its normal to face brute force attacks. Setting up strong passwords and firewall is the best way to prevent these types of attacks.