# Getting hammered by invalid login attempts

## bravespear

I have been having this problem for several weeks now.  I have checked my /var/log/messages file and have been getting hammered with invalid username password guessing attacks.

```

Dec 12 01:12:23 gentoo-home sshd[29890]: Invalid user staff from 216.144.228.80

Dec 12 01:12:24 gentoo-home sshd[29895]: Invalid user sales from 216.144.228.80

Dec 12 01:12:25 gentoo-home sshd[29900]: Invalid user recruit from 216.144.228.80

Dec 12 01:12:26 gentoo-home sshd[29905]: Invalid user alias from 216.144.228.80

Dec 12 01:12:27 gentoo-home sshd[29910]: Invalid user office from 216.144.228.80

Dec 12 01:12:27 gentoo-home sshd[29915]: Invalid user samba from 216.144.228.80

Dec 12 01:12:28 gentoo-home sshd[29920]: Invalid user tomcat from 216.144.228.80

Dec 12 01:12:29 gentoo-home sshd[29925]: Invalid user webadmin from 216.144.228.80

Dec 12 01:12:30 gentoo-home sshd[29930]: Invalid user spam from 216.144.228.80

Dec 12 01:12:31 gentoo-home sshd[29935]: Invalid user virus from 216.144.228.80

Dec 12 01:12:32 gentoo-home sshd[29940]: Invalid user cyrus from 216.144.228.80

Dec 12 01:12:33 gentoo-home sshd[29945]: Invalid user oracle from 216.144.228.80

Dec 12 01:12:33 gentoo-home sshd[29950]: Invalid user michael from 216.144.228.80

Dec 12 01:12:34 gentoo-home sshd[29955]: Invalid user ftp from 216.144.228.80

Dec 12 01:12:35 gentoo-home sshd[29960]: Invalid user test from 216.144.228.80

Dec 12 01:12:36 gentoo-home sshd[29965]: Invalid user webmaster from 216.144.228.80

Dec 12 01:12:38 gentoo-home sshd[29975]: Invalid user postfix from 216.144.228.80

Dec 12 01:12:39 gentoo-home sshd[29980]: Invalid user postgres from 216.144.228.80

Dec 12 01:12:39 gentoo-home sshd[29985]: Invalid user paul from 216.144.228.80

Dec 12 01:12:41 gentoo-home sshd[29995]: Invalid user guest from 216.144.228.80

Dec 12 01:12:42 gentoo-home sshd[30000]: Invalid user admin from 216.144.228.80

Dec 12 01:12:43 gentoo-home sshd[30005]: Invalid user linux from 216.144.228.80

Dec 12 01:12:44 gentoo-home sshd[30010]: Invalid user user from 216.144.228.80

Dec 12 01:12:45 gentoo-home sshd[30015]: Invalid user david from 216.144.228.80

Dec 12 01:12:46 gentoo-home sshd[30020]: Invalid user web from 216.144.228.80

Dec 12 01:12:47 gentoo-home sshd[30025]: User apache not allowed because shell /usr/sbin/nologin does not exist

Dec 12 01:12:47 gentoo-home sshd[30030]: Invalid user pgsql from 216.144.228.80

Dec 12 01:12:48 gentoo-home sshd[30035]: User mysql not allowed because shell /usr/sbin/nologin does not exist

Dec 12 01:12:49 gentoo-home sshd[30040]: Invalid user info from 216.144.228.80

Dec 12 01:12:50 gentoo-home sshd[30045]: Invalid user tony from 216.144.228.80

Dec 12 01:12:51 gentoo-home sshd[30050]: Invalid user core from 216.144.228.80

Dec 12 01:12:52 gentoo-home sshd[30055]: Invalid user newsletter from 216.144.228.80

Dec 12 01:12:53 gentoo-home sshd[30060]: Invalid user named from 216.144.228.80

Dec 12 01:12:54 gentoo-home sshd[30065]: Invalid user visitor from 216.144.228.80

Dec 12 01:12:54 gentoo-home sshd[30070]: Invalid user ftpuser from 216.144.228.80

Dec 12 01:12:55 gentoo-home sshd[30075]: Invalid user username from 216.144.228.80

Dec 12 01:12:56 gentoo-home sshd[30080]: Invalid user administrator from 216.144.228.80

Dec 12 01:12:57 gentoo-home sshd[30085]: Invalid user library from 216.144.228.80

Dec 12 01:12:58 gentoo-home sshd[30090]: Invalid user test from 216.144.228.80

Dec 12 01:13:04 gentoo-home sshd[30105]: Invalid user admin from 216.144.228.80

Dec 12 01:13:05 gentoo-home sshd[30110]: Invalid user guest from 216.144.228.80

Dec 12 01:13:05 gentoo-home sshd[30115]: Invalid user master from 216.144.228.80

Dec 12 01:13:14 gentoo-home sshd[30145]: Invalid user admin from 216.144.228.80

Dec 12 01:13:15 gentoo-home sshd[30150]: Invalid user admin from 216.144.228.80

Dec 12 01:13:15 gentoo-home sshd[30155]: Invalid user admin from 216.144.228.80

Dec 12 01:13:16 gentoo-home sshd[30160]: Invalid user admin from 216.144.228.80

Dec 12 01:13:19 gentoo-home sshd[30175]: Invalid user test from 216.144.228.80

Dec 12 01:13:20 gentoo-home sshd[30180]: Invalid user test from 216.144.228.80

Dec 12 01:13:21 gentoo-home sshd[30185]: Invalid user webmaster from 216.144.228.80

Dec 12 01:13:21 gentoo-home sshd[30190]: Invalid user username from 216.144.228.80

Dec 12 01:13:22 gentoo-home sshd[30195]: Invalid user user from 216.144.228.80

Dec 12 01:13:24 gentoo-home sshd[30205]: Invalid user admin from 216.144.228.80

Dec 12 01:13:25 gentoo-home sshd[30210]: Invalid user test from 216.144.228.80

Dec 12 01:13:28 gentoo-home sshd[30230]: Invalid user danny from 216.144.228.80

Dec 12 01:13:29 gentoo-home sshd[30235]: Invalid user alex from 216.144.228.80

Dec 12 01:13:30 gentoo-home sshd[30240]: Invalid user brett from 216.144.228.80

Dec 12 01:13:31 gentoo-home sshd[30245]: Invalid user mike from 216.144.228.80

Dec 12 01:13:32 gentoo-home sshd[30250]: Invalid user alan from 216.144.228.80

Dec 12 01:13:33 gentoo-home sshd[30255]: Invalid user data from 216.144.228.80

Dec 12 01:13:34 gentoo-home sshd[30260]: Invalid user www-data from 216.144.228.80

Dec 12 01:13:35 gentoo-home sshd[30265]: Invalid user http from 216.144.228.80

Dec 12 01:13:35 gentoo-home sshd[30270]: Invalid user httpd from 216.144.228.80

Dec 12 01:13:36 gentoo-home sshd[30275]: Invalid user pop from 216.144.228.80

Dec 12 01:13:39 gentoo-home sshd[30290]: Invalid user backup from 216.144.228.80

Dec 12 01:13:40 gentoo-home sshd[30295]: Invalid user info from 216.144.228.80

Dec 12 01:13:41 gentoo-home sshd[30300]: Invalid user shop from 216.144.228.80

Dec 12 01:13:42 gentoo-home sshd[30305]: Invalid user sales from 216.144.228.80

Dec 12 01:13:43 gentoo-home sshd[30310]: Invalid user web from 216.144.228.80

Dec 12 01:13:44 gentoo-home sshd[30315]: Invalid user www from 216.144.228.80

Dec 12 01:13:44 gentoo-home sshd[30320]: Invalid user wwwrun from 216.144.228.80

Dec 12 01:13:45 gentoo-home sshd[30325]: Invalid user adam from 216.144.228.80

Dec 12 01:13:46 gentoo-home sshd[30330]: Invalid user stephen from 216.144.228.80

Dec 12 01:13:47 gentoo-home sshd[30335]: Invalid user richard from 216.144.228.80

Dec 12 01:13:48 gentoo-home sshd[30340]: Invalid user george from 216.144.228.80

Dec 12 01:13:49 gentoo-home sshd[30345]: Invalid user john from 216.144.228.80

Dec 12 01:13:51 gentoo-home sshd[30355]: Invalid user angel from 216.144.228.80

Dec 12 01:13:52 gentoo-home sshd[30360]: Invalid user games from 216.144.228.80

Dec 12 01:13:52 gentoo-home sshd[30365]: Invalid user pgsql from 216.144.228.80

Dec 12 01:13:55 gentoo-home sshd[30380]: Invalid user ident from 216.144.228.80

Dec 12 01:13:56 gentoo-home sshd[30385]: Invalid user webpop from 216.144.228.80

Dec 12 01:13:57 gentoo-home sshd[30390]: Invalid user susan from 216.144.228.80

Dec 12 01:13:58 gentoo-home sshd[30395]: Invalid user sunny from 216.144.228.80

Dec 12 01:13:59 gentoo-home sshd[30400]: Invalid user steven from 216.144.228.80

Dec 12 01:14:00 gentoo-home sshd[30405]: Invalid user ssh from 216.144.228.80

Dec 12 01:14:00 gentoo-home sshd[30410]: Invalid user search from 216.144.228.80

Dec 12 01:14:01 gentoo-home sshd[30415]: Invalid user sara from 216.144.228.80

Dec 12 01:14:02 gentoo-home sshd[30420]: Invalid user robert from 216.144.228.80

Dec 12 01:14:03 gentoo-home sshd[30425]: Invalid user richard from 216.144.228.80

Dec 12 01:14:04 gentoo-home sshd[30430]: Invalid user party from 216.144.228.80

Dec 12 01:14:05 gentoo-home sshd[30435]: Invalid user amanda from 216.144.228.80

Dec 12 01:14:06 gentoo-home sshd[30440]: Invalid user rpm from 216.144.228.80

Dec 12 01:14:08 gentoo-home sshd[30450]: Invalid user sgi from 216.144.228.80

Dec 12 01:14:09 gentoo-home sshd[30455]: User sshd not allowed because shell /usr/sbin/nologin does not exist

Dec 12 01:14:10 gentoo-home sshd[30460]: Invalid user users from 216.144.228.80

Dec 12 01:14:11 gentoo-home sshd[30465]: Invalid user admins from 216.144.228.80

Dec 12 01:14:11 gentoo-home sshd[30470]: Invalid user admins from 216.144.228.80

Dec 12 01:14:19 gentoo-home sshd[30515]: Invalid user dean from 216.144.228.80

Dec 12 01:14:20 gentoo-home sshd[30520]: Invalid user unknown from 216.144.228.80

Dec 12 01:14:21 gentoo-home sshd[30525]: Invalid user securityagent from 216.144.228.80

Dec 12 01:14:22 gentoo-home sshd[30530]: Invalid user tokend from 216.144.228.80

Dec 12 01:14:23 gentoo-home sshd[30535]: Invalid user windowserver from 216.144.228.80

Dec 12 01:14:23 gentoo-home sshd[30540]: Invalid user appowner from 216.144.228.80

Dec 12 01:14:24 gentoo-home sshd[30545]: Invalid user xgridagent from 216.144.228.80

Dec 12 01:14:25 gentoo-home sshd[30550]: Invalid user agent from 216.144.228.80

Dec 12 01:14:26 gentoo-home sshd[30555]: Invalid user xgridcontroller from 216.144.228.80

Dec 12 01:14:27 gentoo-home sshd[30560]: Invalid user jabber from 216.144.228.80

Dec 12 01:14:28 gentoo-home sshd[30565]: Invalid user amavisd from 216.144.228.80

Dec 12 01:14:29 gentoo-home sshd[30570]: Invalid user clamav from 216.144.228.80

Dec 12 01:14:30 gentoo-home sshd[30575]: Invalid user appserver from 216.144.228.80

Dec 12 01:14:31 gentoo-home sshd[30580]: Invalid user mailman from 216.144.228.80

Dec 12 01:14:31 gentoo-home sshd[30585]: Invalid user cyrusimap from 216.144.228.80

Dec 12 01:14:32 gentoo-home sshd[30590]: Invalid user qtss from 216.144.228.80

Dec 12 01:14:33 gentoo-home sshd[30595]: Invalid user eppc from 216.144.228.80

Dec 12 01:14:34 gentoo-home sshd[30600]: Invalid user telnetd from 216.144.228.80

Dec 12 01:14:35 gentoo-home sshd[30605]: Invalid user identd from 216.144.228.80

Dec 12 01:14:36 gentoo-home sshd[30610]: Invalid user gnats from 216.144.228.80

Dec 12 01:14:37 gentoo-home sshd[30615]: Invalid user jeff from 216.144.228.80

Dec 12 01:14:37 gentoo-home sshd[30620]: Invalid user irc from 216.144.228.80

Dec 12 01:14:38 gentoo-home sshd[30625]: Invalid user list from 216.144.228.80

Dec 12 01:14:39 gentoo-home sshd[30630]: Invalid user eleve from 216.144.228.80

Dec 12 01:14:40 gentoo-home sshd[30635]: Invalid user proxy from 216.144.228.80

Dec 12 01:14:41 gentoo-home sshd[30640]: Invalid user sys from 216.144.228.80

Dec 12 01:14:42 gentoo-home sshd[30645]: Invalid user zzz from 216.144.228.80

Dec 12 01:14:43 gentoo-home sshd[30650]: Invalid user frank from 216.144.228.80

Dec 12 01:14:43 gentoo-home sshd[30655]: Invalid user dan from 216.144.228.80

Dec 12 01:14:44 gentoo-home sshd[30660]: Invalid user james from 216.144.228.80

Dec 12 01:14:45 gentoo-home sshd[30665]: Invalid user snort from 216.144.228.80

Dec 12 01:14:46 gentoo-home sshd[30670]: Invalid user radiomail from 216.144.228.80

Dec 12 01:14:47 gentoo-home sshd[30675]: Invalid user harrypotter from 216.144.228.80

Dec 12 01:14:48 gentoo-home sshd[30680]: Invalid user divine from 216.144.228.80

Dec 12 01:14:49 gentoo-home sshd[30685]: Invalid user popa3d from 216.144.228.80

Dec 12 01:14:50 gentoo-home sshd[30690]: Invalid user aptproxy from 216.144.228.80

Dec 12 01:14:51 gentoo-home sshd[30695]: Invalid user desktop from 216.144.228.80

Dec 12 01:14:52 gentoo-home sshd[30700]: Invalid user workshop from 216.144.228.80

Dec 12 01:14:52 gentoo-home sshd[30705]: Invalid user mailnull from 216.144.228.80

Dec 12 01:14:53 gentoo-home sshd[30710]: Invalid user nfsnobody from 216.144.228.80

Dec 12 01:14:54 gentoo-home sshd[30715]: Invalid user rpcuser from 216.144.228.80

Dec 12 01:14:55 gentoo-home sshd[30720]: Invalid user rpc from 216.144.228.80

Dec 12 01:14:56 gentoo-home sshd[30725]: Invalid user gopher from 216.144.228.80

```

This is just a small sample.  I get dictionary attacks hitting me every day for hours at a time.  I have a cable router with multiple ports forwarding to my internal gentoo box.  This pc only has 1 nic. 

What I would like to be able to do is have some firewall solution (perhaps iptables) to detect 5 invalid login attempts and then block the ip the attempts are coming from for a certain amount of time (somewhere between 30mins to 2 hours).  Anyone have any luck doing this?

----------

## Bobnoxous

I use denyhosts. It does an excellent job of blocking repeated login attempts.

----------

## magic919

https://forums.gentoo.org/viewtopic-t-421706-highlight-ssh.html

----------

## pteppic

 *magic919 wrote:*   

> https://forums.gentoo.org/viewtopic-t-421706-highlight-ssh.html

 

I use this method (albeit tweaked a bit), it's really solid.

----------

## bravespear

That is exactly what I have been looking for! You guys are great!

----------

## bravespear

Took a little tweaking but this does exactly what I want it to and performs like a champion.

You guys are awesome.  I just hope that someday I will be able to be able to help the newbies out, instead of being one myself.

----------

## mackerel

besides denyhost, I set my port to < 2000

as it is a non-standard port, I have never had an attempt on it.

you can set this in sshd.conf and ssh blahblah -p 2000

----------

## bunder

there's also fail2ban.

----------

## krolden

public key would solve the matter.

Putting the server on a different port would aid in getting build up in your log files.

----------

## dewke

Normally I don't agree with changing ports on services, but in the case of SSH I'm guilty of moving the service.  Since I don't allow any external hosts to connect to the SSH daemon on my firewall i use NAT to redirect a high port on my firewall to the internal host that I allow SSH to.   Then I just allow specific external hosts to connect to the high port.  I drop all connections to tcp/22 on my firewall and don't bother to log them.

----------

## col

run your ssh server on a port other than 22 .... this will stop 99.99% of them

----------

