So I've been getting this log watch from my server emailed to me on a daily basis. It gives me a list of all the authentification failures via SSH and other protocols. Should I be actively concerned that there's specific IP addresses consistantly trying to access my SSH account? Likewise, for any type of failed login. Should I actively block their IP address from accessing the server at all?
I've also noticed in the Connections group, there's a lot of monitoringservice.net connections -- is this normal?
Just want to make sure I'm taking an active effort on preventing my server being brought down. I mean, I have 2000+ SSHd authentication failures... seems really high.
I've seen attempts in the 10's of thousands and yes, they are normal. Just people running scripts to see if an easy to crack Server login is being used.
You should prevent direct 'root' login and using another port will cut down on login attempts as well.
The monitoringservice.net site seems to be a blank page. Although one of your Clients could be using it to monitor the Server, a site with no Web pages is not one I would prefer, to be trying to access my Server.
• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available
You should really look into something like csf to automatically handle these types of things for you. This will automagically block individuals who try over X number of times without a password to login.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!