I got a dedicated server from OVH.ca a couple weeks ago now and installed CSF. Since getting the server, I am receiving notifications every few hours or so that XYZ IP address was trying to login via SSH, portscanning, etc. The IP addresses are from all over the place (including USA, China, Canada, India, Korea, and Phillipines) and seem to be from either compromised servers or cheap VPS providers. I have the root login disabled and I am considering changing the SSH port to something other then 22. I was wondering if this is normal for OVH.ca servers or is my IP address just being targeted for whatever reason?
It has nothing to do with ovh, it's random port scanning, and such.
Also you should change ssh port, this will remove lots of alerts in csf.
We have servers in differents DCs and this happens in all of them.
Simply changing the SSH port stops most SSH login attempts dead, they all try on the default port. Cannot even remember the last time CSF alerted me about SSH. Of course this will not work if a person and not a bot is targeting your server, but hopefully this is obvious (and not the intended purpose of changing the port anyway).
Changing the SSH port number will resolve the issue.
You can Allow specific user to login via SSH:
You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:
Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.