Is it normal to get hundreds of break-in attempts per day?

In today’s internet this is quite normal sadly. There are hordes of botnets trying to login to each server they find in whole IP networks. Typically, they use simple dictionary attacks on well-known accounts (like root or certain applications accounts).

The attack targets are not found via Google or DNS entries, but the attackers just try every IP address in a certain subnet (e.g. of known root-server hosting companies). So it doesn’t matter that your URL (hence the DNS entry) is rather obscure.

That’s why it is so important to:

  • disallow root-login in SSH (howto)
  • use strong passwords everywhere (also in your web applications)
  • for SSH, use public-key authentication if possible and disable password-auth completely (howto)

Additionally, you can install fail2ban which will scan the authlog and if it finds a certain amount of failed login attempts from an IP, it will proceed to add that IP to /etc/hosts.deny or iptables/netfilter in order to lock out the attacker for a few minutes.

In addition to the SSH attacks, it is also becoming common to scan your webserver for vulnerable web-applications (some blogging apps, CMSs, phpmyadmin, etc.). So make sure to keep those up-to-date and securely configured too!

Related Posts:

  1. How to check if an RSA public / private key pair match
  2. REJECT vs DROP when using iptables
  3. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  4. SSH from A through B to C, using private key on B [closed]
  5. mysql_config not found when installing mysqldb python interface
  6. ssh: Could not resolve hostname [hostname]: nodename nor servname provided, or not known
  7. Pseudo-terminal will not be allocated because stdin is not a terminal
  8. X11 forwarding request failed on channel 0
  9. mysql_config not found when installing mysqldb python interface
  10. Pseudo-terminal will not be allocated because stdin is not a terminal
  11. How to download a file from server using SSH?
  12. Explanation of polkitd Unregistered Authentication Agent
  13. connect to host localhost port 22: Connection refused
  14. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  15. EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
  16. How to configure WP filesystem access in Linux (Ubuntu Server)?
  17. WordPress sites being filled with random PHP files
  18. What permissions should my website files/folders have on a Linux webserver?
  19. Can I automatically add a new host to known_hosts?
  20. Can I nohup/screen an already-started process?
  21. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  22. How to reconnect to a disconnected ssh session
  23. how to disable SSH login with password for some users?
  24. Keeping a linux process running after I logout
  25. best way to clear all iptables rules
  26. How to handle security updates within Docker containers?
  27. how do you create an ssh key for another user?
  28. Does getting disconnected from an SSH session kill your programs?
  29. Tips for Securing a LAMP Server
  30. Can you have more than one ~/.ssh/config file?
  31. How to add a security group to a running EC2 Instance?
  32. Show all users and their groups/vice versa
  33. SSHFS mount that survives disconnect
  34. Heartbleed: how to reliably and portably check the OpenSSL version?
  35. Temporarily ignore my `~/.ssh/known_hosts` file?
  36. How can I fully log all bash scripts actions?
  37. What’s wrong with always being root?
  38. Hundreds of failed ssh logins
  39. protocol version mismatch — is your shell clean?
  40. What is the difference between /sbin/nologin and /bin/false?
  41. How do I grep recursively?
  42. -bash: syntax error near unexpected token `newline’ for display command
  43. SSH using python script
  44. Changing the resolution of a VNC session in linux
  45. Using putty to scp from windows to Linux
  46. How does “cat << EOF" work in bash?
  47. What is difference between arm64 and armhf?
  48. How to make and apply SVN patch?
  49. How to count lines in a document?
  50. What does `set -x` do?
  51. Can you Run Xcode in Linux?
  52. How to get the process ID to kill a nohup process?
  53. Writing a simple shell in C using fork/execvp
  54. Using ls to list directories and their total sizes
  55. tar: add all files and directories in current directory INCLUDING .svn and so on
  56. What does set -e mean in a bash script?
  57. Pipe to/from the clipboard in a Bash script
  58. what does -zxvf mean in tar -zxvf filename? 
  59. Retrieve last 100 lines logs
  60. Configuring Apache for localhost
  61. Android – Command not found
  62. How to use dos2unix?
  63. What does ‘bash -c’ do?
  64. How do I know the script file name in a Bash script?
  65. WordPress can’t find temporary folder, but folder it’s looking at has correct permissions
  66. enable SFTP via SSH keys in wordpress
  67. Can scp copy directories recursively?
  68. Copying a large directory tree locally? cp or rsync?
  69. What are the functional differences between .profile .bash_profile and .bashrc
  70. Check if port is open or closed on a Linux server?
  71. Why does my hostname appear with the address 127.0.1.1 rather than 127.0.0.1 in /etc/hosts?
  72. Linux command to inspect TXT records of a domain [closed]
  73. When does `cron.daily` run?
  74. How to run a command multiple times, using bash shell?
  75. What does a + mean at the end of the permissions from ls -l?
  76. How do I sleep for a millisecond in bash or ksh
  77. What does ‘set -e’ do, and why might it be considered dangerous?
  78. What version of RHEL am I using?
  79. What useful things can one add to one’s .bashrc? [closed]
  80. How do you make it obvious you are on a production system?
  81. How to add a timestamp to bash script log?
  82. How can I verify if TLS 1.2 is supported on a remote web server from the RHEL/CentOS shell?
  83. How to remove empty/blank lines from a file in Unix (including spaces)?
  84. Mount CIFS Host is down
  85. List of files installed from apt package
  86. How can I kill all stopped jobs?
  87. How to copy a large number of files quickly between two servers
  88. Allow SFTP but disallow SSH?
  89. How can I export the privileges from MySQL and then import to a new server?
  90. Is there a directory equivalent of /dev/null in Linux?
  91. Can I send some text to the STDIN of an active process running in a screen session?
  92. How can I get processor/RAM/disk specs from the Linux command Line? [duplicate]
  93. Is there a way to see the execution tree of systemd?
  94. How to determine the hostname from an IP address in a Windows network?
  95. create home directories after create users
  96. How do I redirect subdomains to a different port on the same server?
  97. Running Cron every 2 hours [duplicate]
  98. How to check the physical status of an ethernet port in Linux?
  99. What does “debconf: delaying package configuration, since apt-utils is not installed” mean?
  100. In Linux, what is the difference between “buffers” and “cache” reported by the free command?

Leave a Comment