Howto prevent Brute Force

Monsantosucks

Monsantosucks

Verified User
Joined
Nov 10, 2014
Messages
12
Hello I've been checking my logs for some time because I have thousands of Brute force attacks on the SSH. I changed my port from 22 to something else but I still get lots of messages, so here's one line:

14156301785993 122.225.109.198 root 1 sshd5 Nov 10 12:00:14 vps2563 sshd[11298]: Failed password for root from 122.225.109.198 port 43064 ssh2

Why does this count as a login attempt? This ipaddress uses a port (43064) which doesn't listen to anything. I thought it would only be logged if one would actually try on the port SSH is listening on.
When I use putty.exe to connect to my server and I put in a random port number it will just do nothing, is this different?
 
You should indeed install a firewall and CSF/LFD is a good one. Be sure to not use install.sh but instead use ./install_directadmin.sh to install.

This ipaddress uses a port (43064) which doesn't listen to anything.
Click to expand...
Don't look at external ports. Computers will almost aways use some port between 1024 and 65535 to make connections. Only look at the destination port.
If the destination port is 43064 and you don't have anything running on it, don't worry about it.

However, it's always good to run a decent firewall like CSF. Next to that I would suggest you make use of SSH keys and disable plaintext passwords for SSH when everything is working OK.
 
Okay thanks! Now I understand why there are thos odd port numbers. I will use iptables as a start.
 
You're welcome.
By the way... CSF/LFD is just a firewall script which makes the iptables rules for you. This way it can also check bruteforces etc.
It's easy to setup, just takes some time due look at all the otions, but in most cases the default settings are oke. At least on a Centos machine with Directadmin. ;)
Just don't use ./install.sh when installing but ./install_directadmin.sh for best installation method.
 
You must log in or register to reply here.
Back
Top