SSH - excessive number of failed login attempts

Hi all,
A slightly different general question about a ns with fail2ban active…

Would this response be expected?

C:\WINDOWS\system32> ssh root@192.168.1.25
root@192.168.1.25’s password:
Last failed login: Sat Jan 11 20:00:47 GMT 2020 from 222.186.173.183 on ssh:notty
There were 23181 failed login attempts since the last successful login.
Last login: Mon Dec 23 22:50:18 2019 from 192.168.1.24

************ Welcome to NethServer ************

This is a NethServer installation.

Before editing configuration files, be aware
of the automatic events and templates system.

      http://docs.nethserver.org

[root@kayak ~]#

23181 failed login attempts within about 3 weeks seems a lot to me!

222.186.173.183 IP address has been reported as abusive (brute force attacks…)

Check fail2ban SSH jails are active.
Consider using a non-standard SSH port number (security through obscurity)
Connect through SSH with a non-root user
Use key based authentication
Disable password authentication
Disable root logins

1 Like

Check fail2ban SSH jails are active - done
Consider using a non-standard SSH port number (security through obscurity) - not done
Connect through SSH with a non-root user - was logging on from within a small lan
Use key based authentication - done
Disable password authentication - done
Disable root logins - done

Obviously, this NS has been under quite severe attacks recently - yet it has been successful in defending itself!

Hi River_Mersey,

I would say the same thing. On the web GUI, under SSH…

Also, you can set the recidive to permanent in Fail2ban.

A few years ago, I had the same problem. SSH attemps every 5-10 seconds. I changed the port and after that, the attemps were gone.

Michel-André

Make port 22 only accessible from the green network.

If you have a reason to connect remotely, look into using OpenVPN (or another VPN solution) instead.

Cheers.

Ah ha!
Many thanks for everyone’s help!
As advised, ticked the recidive box.
Changed the ssh on port 22 on both NS and lan’s router DNS table to a random unallocated port 2222.
Seems to work, as I now cant log in as follows:


C:\WINDOWS\system32> ssh root@192.168.1.25
ssh: connect to host 192.168.1.25 port 22: Connection refused
C:\WINDOWS\system32>


How do I give myself legitimate permissions to login on the lan as root on ssh port 2222 ?

Ah ha again!
Starting to answer my own questions…


C:\WINDOWS\system32> ssh root@192.168.1.25 -p 2222
root@192.168.1.25’s password:
Last failed login: Sat Jan 11 22:13:40 GMT 2020 from 218.92.0.168 on ssh:notty
There were 217 failed login attempts since the last successful login.
Last login: Sat Jan 11 20:02:37 2020 from 192.168.1.24

************ Welcome to NethServer ************

This is a NethServer installation.

Before editing configuration files, be aware
of the automatic events and templates system.

      http://docs.nethserver.org

[root@kayak ~]#


ssh command in windows 10 command line now needs an additional switch of “-p 2222” specifying the port number - not including quote marks.

Fail2ban control sliders were left as default, so I expect it will take a little time for this banned ips to become permenantly banned!