New vServer - ssh login attempts every x seconds (DDoS?)


I’ve just purchased a new vServer - nothing done with it now beside installing Hestia.
I’ve just looked into /var/log/auth.log and saw there are ssh login attempts nearly every 2-10 seconds (since 3 days now) :frowning:

Hestia installed fail2ban but I get this statistic - can this be correct after thousands and thousands of these attempts?

# fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     22
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     9
   `- Banned IP list:

P.S. “PasswordAuthentication” is set to “no” in my /etc/ssh/sshd_config file.

You may want to add recidive rule, change ssh port and enable the malicious ip filter

enabled = true
logpath  = /var/log/fail2ban.log
port     = all
protocol = all
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

You may also ban /24 instead of single IPs

in /etc/fail2ban/action.d/iptables-multiport.local and /etc/fail2ban/action.d/iptables-allports.local

[Definition] actionban = <iptables> -I f2b-<name> 1 -s **<ip>/24** -j <blocktype> actionunban = <iptables> -D f2b-<name> -s **<ip>/24** -j <blocktype>


Use Ipset Blacklist

1 Like

Ok - added both mentioned hints - will check the next hours/days if the ‘noice’ goes down.

To calm me down - those successfull ones are ok and came from hestie/cron?

Connection to SSH is allready an session opens so nothing special

1 Like

small update after a few hours now: ssh ‘noice’ went back to nearly zero :+1:

Thanks for your help @eris @jlguerrero


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.