How to stop SSH login cracking attack?

[mr-cracker]

Hello all,

I use CSF firewall, and the Deny IP List is full of

219.129.21.4 # lfd: (sshd) Failed SSH login from 219.129.21.4 (CN/China/-): 5 in the last 3600 secs - Fri May 24 10:57:03 2013
119.36.186.44 # lfd: (sshd) Failed SSH login from 119.36.186.44 (CN/China/119.36.arpa.hb.cnc.cn): 5 in the last 3600 secs - Fri May 24 20:49:29 2013
220.178.18.67 # lfd: (sshd) Failed SSH login from 220.178.18.67 (CN/China/-): 5 in the last 3600 secs - Sat May 25 11:04:03 2013
193.111.141.244 # lfd: (PERMBLOCK) 193.111.141.244 has had more than 4 temp blocks in the last 86400 secs - Sat May 25 13:24:45 2013
124.160.194.27 # lfd: (sshd) Failed SSH login from 124.160.194.27 (CN/China/-): 5 in the last 3600 secs - Sat May 25 19:16:18 2013

My password is very hard to guess, but this has been going for months now, so I want to stop it once and for all. I guess changing the SSH port will help. But I don't know how to do it?

Any ideas guys?

 

[Petertjuh360]

1. Go to your SSH console
2. Type: nano /etc/ssh/sshd_config
3. Change #port 22 to port xxx
4. Save with CTRL + x and then y
5. Type: service sshd restart
6. SSH port changed

 

[Themis]

Any ideas guys?

If you don't want to change the ssh port, for any reason, you can use csf to automatically block IP's with failed login attempts.
Take a look here:
http://forum.directadmin.com/showthread.php?t=45599&p=233421#post233421

 

[mr-cracker]

I think I will change the port.

Thank you guys

 

[ben29]

stop attack? shut down your server, this the best solution,
they is no sucessful solution for that
but
1. change ssh port
2. allow only access from your ip
3. don't use password auth, use pubkey

 

[Richard G]

I would suggest only to use option 1 and 2 if you are on a dynamic ip. Because when it changes, you block yourselve out of your own server without an option to fix it, except via your provider/datacenter.
Normally option 1 and 2 are already enough, and almost no attacks are seen anymore.