Prevent evil bots on the web from hacking the server

[mblomdahl]

I just logged in to the server, a 4-5 days since last time around, and what do I find..?

[me@hq ~]$ sudo su -
[sudo] password for me: 
Last login: Tue Jan  5 13:46:18 CET 2021 on pts/0
Last failed login: Sat Jan  9 11:10:05 CET 2021 from 106.12.107.252 on ssh:notty
There were 52366 failed login attempts since the last successful login.
[root@hq ~]# df -h
/.../

Over 50 k failed login attempts to root account in less than a week.

Can we please add some software to keep track of these bots and forbid them from touching our server?

(And what does everyone else use? "Audit-to-allow" or whatever it's called?)

[carlba]

fail2ban :)

[mblomdahl]

fail2ban :)

The more I read about it, the more non-standard and obscure it came across... The audit2allow seem a bit more legit, but kind of quirky as well. How about just changing the SSH port + ~/.ssh/config? Just did that, 0 failed login attempts since. 🙃 Will be interesting to see in 1 week how many found the right entry.

[carlba]

fail2ban is meant to be a set it and forget it solution they tend to be a bit "non standard". Achieving a similar behaviour without fail2ban would mean creating a "non standard" script that did the same thing :)

But changing SSH port in combination with disallowing root login and only allowing access through ssh keys should make the system just as secure.

[mblomdahl]

@carlba Yeah, that would be the case now -- only allowed to login as me or Victoria using SSH key, via secret port mapping in firewall. 🙃 Still haven't gotten a single failed login since the port change! ✨ 🦄