Failed password for root from xxx.xxx.xxx.xxx in logs


(Tuan Anh Tran) #1

I’m seeing this quite often in logs. Not sure what causes it though. I’m riding on HEAD.

isconnecting: Too many authentication failures for root [preauth]
Failed password for root from xxx.xxx.xxx.xxx port 2687 ssh2
Failed password for root from xxx.xxx.xxx.xxx port 2687 ssh2
Failed password for root from xxx.xxx.xxx.xxx port 2687 ssh2
Failed password for root from xxx.xxx.xxx.xxx port 2687 ssh2
Failed password for root from xxx.xxx.xxx.xxx port 2687 ssh2
Failed password for root from xxx.xxx.xxx.xxx port 2687 ssh2
Disconnecting: Too many authentication failures for root [preauth]
Failed password for root from xxx.xxx.xxx.xxx port 1107 ssh2
Failed password for root from xxx.xxx.xxx.xxx port 1107 ssh2

(Jonas Friedmann) #2

Compromised servers/computers that use password lists to try random logins to known IPs (DigitalOcean, EC2, etc subnets). You can take a look into fail2ban to tempban (via iptables) those bots after a specific number of failed logins.


(Jens Maier) #3

In general…

  • Move your public-facing SSH to some non-default port (option ListenAddress in /etc/ssh/sshd_config).
  • Disable root logins via SSH (option PermitRootLogin, same file).
  • Restrict SSH logins to administrative groups (option AllowGroups).
  • Disable password authentication, use public/private keys only (option PasswordAuthentication).

(Tuan Anh Tran) #4

I already disable passwd auth and use key only. Would it be enough?


(Jens Maier) #5

Then it depends on the quality of the key and how securely you store it.

I’d still move SSH to another port. The maths behind public key authentication may be solid, but software has bugs and even OpenSSH has had a few security concerns – albeit none of them catastrophic – in its time.


(system) #6

(Kane York) #7