Why are there so many failed login attempts since the last successful login?


Why does it happen?

There are millions of infected computers in the world constantly scanning the internet for open services, which try to brute force their way into your servers. New computers are infected each day, so banning them becomes a futile exercise.

This is the reason we see so many failed login attempts when we login to our servers and this happens to any ssh server which runs on the default port 22 (among other protocols) and is exposed to the internet.

We do run honeypots and block over 90% of the scans in our network, but it’s not a perfect solution and criminals are always adapting their circumvention methods.

SSH is not the only scanned port. From what we detect, the most scanned ports are 22, 23, 445 and 3389. But there are scans for almost any port out there.

The solutions:

First of all, you need to ensure that you are using a strong password for your server. There’s absolutely no excuse to use a simple password, no matter what other security protections you have in place. Do not use root to access your servers and always use sudo if it is necessary to run privileged commands!

Secondly, ensure all your applications are updated and the last version is running. You could use dnf-automatic (rhel based) or unnattended-upgrades (debian based) to ensure all security updates are automatically done on your server. Combine it with a tool like needs-restarting to restart the applications after the update or reboot the server when a kernel update requires it.

The best solution to prevent such attacks is to firewall everything. Block everything by default and only allow your IPs or the services which should be publicly accessible (http/https for example).

If you do not have fixed IPs, the solution is to change the port to a random number, for example: 41935. This will reduce the automatic scans (and the noise they cause), but it won’t protect you from a targeted attack (which are rare, but do happen). Don’t forget to update the firewall and, if used, selinux so you don’t get yourself locked out.

For a better protection, you should disable password authentication and use ssh keys instead. This ensures your server cannot be brute forced into, even if your password is weak or gets stolen in some way. Make sure to add a strong encryption password for your private keys.

If you are looking for the best protection, beside firewalling and switching to ssh keys, you should use a hardware key (a yubikey for example) to keep your private keys from being stolen by malware. This will allow you to require a physical touch of the key when you are connecting to a server, so even in the case your computer is compromised, nobody can connect to your server without physical access. Always have at least 2 keys and keep one as backup in a safe place.

A guide on how to use yubikey for ssh access can be found here: https://www.mvps.net/docs/how-to-setup-yubikey-for-ssh-authentication-via-openpgp-on-windows/

Recent Posts