After checking my /var/log/auth.log, I discovered over 500 daily failed SSH login attempts - and this isn't unusual. Modern servers face constant automated attacks regardless of site popularity. Let's examine what's happening and how to harden defenses.
Here's a typical entry from auth.log showing a brute force attempt:
May 15 03:22:45 server sshd[2871]: Failed password for root from 203.0.113.42 port 54321 ssh2
May 15 03:22:47 server sshd[2871]: Failed password for root from 203.0.113.42 port 54321 ssh2
May 15 03:22:49 server sshd[2871]: Failed password for admin from 203.0.113.42 port 54321 ssh2Attackers systematically try common username/password combinations across thousands of servers.
1. Install fail2ban:
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban2. Modify SSH configuration (/etc/ssh/sshd_config):
Port 2222 # Change default port
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
LoginGraceTime 30Remember to restart SSH: sudo systemctl restart sshd
Key-based authentication setup:
ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server -p 2222Port knocking example (using knockd):
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 2222 -j ACCEPT
tcpflags = synCreate an attack monitoring script (auth_monitor.sh):
#!/bin/bash
today=$(date +"%b %d")
count=$(grep "$today" /var/log/auth.log | grep "Failed password" | wc -l)
echo "Today's failed attempts: $count"
grep "$today" /var/log/auth.log | grep "Failed password" | \
awk '{print $11}' | sort | uniq -c | sort -nrFor AWS EC2, implement Security Groups:
aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--protocol tcp \
--port 2222 \
--cidr 192.0.2.0/24These measures won't stop the attempts completely, but will dramatically reduce your attack surface and ensure only authorized access.
If you're seeing hundreds of failed login attempts in your /var/log/auth.log, you're experiencing a common but serious security issue. Automated bots constantly scan the internet for vulnerable SSH ports (typically port 22) and attempt brute-force attacks using common username/password combinations.
# Sample auth.log entries showing brute force attempts
May 15 03:21:23 server sshd[12345]: Failed password for root from 192.168.1.100 port 54321 ssh2
May 15 03:21:25 server sshd[12346]: Failed password for admin from 192.168.1.100 port 54321 ssh2
May 15 03:21:27 server sshd[12347]: Failed password for ubuntu from 192.168.1.100 port 54321 ssh2
Here are the most effective measures you should implement immediately:
# 1. Change SSH port (edit /etc/ssh/sshd_config)
Port 2222 # Change from default 22 to something else
# 2. Disable root login
PermitRootLogin no
# 3. Restart SSH service
sudo systemctl restart sshd
For more robust protection, consider these additional measures:
# Install and configure fail2ban
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Configure fail2ban for SSH (edit /etc/fail2ban/jail.local)
[sshd]
enabled = true
port = 2222 # Match your custom SSH port
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
- Use SSH key authentication instead of passwords
- Implement two-factor authentication for SSH
- Regularly update your server software
- Monitor logs for suspicious activity
- Consider using a VPN for server access
Here's a simple bash script to monitor and report failed login attempts:
#!/bin/bash
# Monitor failed SSH attempts
LOG_FILE="/var/log/auth.log"
TODAY=$(date +"%b %d")
echo "Failed SSH attempts today:"
grep "$TODAY" $LOG_FILE | grep "Failed password" | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c | sort -nr
echo -e "\nPotential brute force attacks (more than 5 attempts from single IP):"
grep "$TODAY" $LOG_FILE | grep "Failed password" | awk '{print $11}' | sort | uniq -c | sort -nr | awk '$1 > 5'