It is very common for public facing servers to have brute forcing attempts against them. In this article, we'll cover what you can do to check if your server is victim and provide a usefull tip to help slow them down.
On your linux system, you can run the following command to scroll through the access log, which provides both failed and successful login attempts:
CentOS Systems:
# more /var/log/secure
Debian Systems:
# more /var/log/auth.log
While analyzing the above, you will see activity for all users on the system, including users created for applications. To filter this down to just SSH, you can use the following:
CentOS Systems:
# grep "ssh" /var/log/secure | more
Debian Systems:
# grep "ssh" /var/log/auth.log | more
If you are seeing a lot of failed login attempts, it is suggested that you change your SSH port from the default of "22" as most attackers focus on default ports. To change the SSH port for your server, you'll need to edit the configuration file for SSH and restart the service. Please following the below commands:
# vim /etc/ssh/sshd_config
- In the above file, modify the line "Port 22" removing the comment sign (#) and replacing 22 with the port of your choice. The line should look like the following for port 2201:
Port 2201
# Save and quit the vim text editor
# /etc/init.d/sshd restart
With the above, your SSH port will now be changed from the default, so you should see a large decrease in brute forcing attempts.
If you need assistance with any of the above or you would like our support team to change the port for you, please don't hesitate to contact us at [email protected]
- 27 Users Found This Useful