A maintenance event to our servers or software is in progress. It may not affect you. Select the link on the right for details. Learn more

  Tag Cloud

contact form 7 Email imap letsencrypt nodejs outlook prefix REST API security TLS troubleshooting web applications web server wordpress wp-json

  Support

Support Tickets
Latest News
Knowledge Base
System Status
Create Support Ticket

SSH: There were X failed login attempts since the last successful login. Print

  • 14

Problem Description

You receive an alert when logging in to your VPS via shell indicating: There were X failed login attempts since the last successful login. (Where X could be dozens, hundreds, or thousands of failed login attempts)

This is fairly normal for any machine running SSHd connected to the Internet with hundreds of thousands of rogue bots on the Internet regularly attempting to obtain access to more servers. If you keep SSHd updated regularly and you only use secure passwords (e.g.: longer than 20 randomly generated characters), then you should not require any further protection. However below we'll describe some methods that you can use to further protect against unauthorized logins.

If you have other servers that do not show this information it could be because the datacentre has altered their CentOS MOTD to prevent showing that info, it could be because they default to key based authentication (more info on that below), or it could be because it uses a different Linux distribution that doesn't show this info at all.

Problem Resolution

There are a number of ways to protect your SSH daemon from unauthorized login attempts. You could:

  1. Switch to using SSH keys and no longer accept login via password at all.
  2. Change the default port for SSHd from 22 to another port like 2222. Although this is more obfuscation than actual security improvement, it'll likely reduce the overall number of attempts from simple automated bots. A more sophisticated attack would simply scan for open ports and find your new SSHd port quite easily.
  3. Install fail2ban and enable its automatic detection of multiple failed logins using SSH so that it blocks repeated attempts. If using firewalld on CentOS 8 or CentOS 7, see below.

Installing and configuring fail2ban on CentOS 7/8 with firewalld

Note: this is built in to Plesk and it will configure it to use iptables rather than firewalld. If using Plesk, enable it using this guide instead.

dnf install epel-release
dnf install fail2ban
echo '
[sshd] 
enabled = true
' > /etc/fail2ban/jail.local
systemctl restart fail2ban

To see the status, there's various options with differing levels of detail:

systemctl status fail2ban
fail2ban-client status
fail2ban-client status sshd

To unban an IP:

fail2ban-client unban 192.168.56.1

Was this answer helpful?

Related Articles

How do I block entire countries? Problem Description You wish to block an entire country or multiple countries You see traffic... What is the impact of enabling PCI Compliance? And what should I watch out for with PCI scans? Overview PCI Compliance is a security enforcement practice that ensures best practices of...
← Back

  Tag Cloud

contact form 7 Email imap letsencrypt nodejs outlook prefix REST API security TLS troubleshooting web applications web server wordpress wp-json

  Support

Support Tickets
Latest News
Knowledge Base
System Status
Create Support Ticket