Linux Security - Access Logs

It is very common for public facing servers to have brute forcing attempts against them. In this article, we'll cover what you can do to check if your server is victim and provide a usefull tip to help slow them down.

On your linux system, you can run the following command to scroll through the access log, which provides both failed and successful login attempts:

CentOS Systems:

# more /var/log/secure

Debian Systems:

# more /var/log/auth.log

While analyzing the above, you will see activity for all users on the system, including users created for applications. To filter this down to just SSH, you can use the following:

CentOS Systems:

# grep "ssh" /var/log/secure | more

Debian Systems:

# grep "ssh" /var/log/auth.log | more

If you are seeing a lot of failed login attempts, it is suggested that you change your SSH port from the default of "22" as most attackers focus on default ports. To change the SSH port for your server, you'll need to edit the configuration file for SSH and restart the service. Please following the below commands:

# vim /etc/ssh/sshd_config
- In the above file, modify the line "Port 22" removing the comment sign (#) and replacing 22 with the port of your choice. The line should look like the following for port 2201:

Port 2201

# Save and quit the vim text editor

# /etc/init.d/sshd restart

With the above, your SSH port will now be changed from the default, so you should see a large decrease in brute forcing attempts.

If you need assistance with any of the above or you would like our support team to change the port for you, please don't hesitate to contact us at [email protected]
  • 27 Users Found This Useful
這篇文章有幫助嗎?

相關文章

Best Practices for DDoS Attacks and Brute Force

DDoS Attacks Wanting to protect your server from any future DDoS attacks? You can setup a free...

Finding scripts responsible for Email / Spam

Sometimes you will find that your servers IP address is becoming blacklisted because of spaming...