Semi-Newbie, first-time poster here...
I manage a linux server that faces the public Internet. Every day there are thousands-upon-thousands of SSH login attempts on the "root" account (40,000 in the last several days). Within that sample are about 600 unique IPs that are attempting to brute-force my root account. Most of these IPs are on separate subnets. Almost all of the IPs are from outside my country (U.S.).
For various reasons I have chosen not to disable SSH login on this server. I have changed the default SSH port, but know that this is a relatively futile masquerade for someone who's hell-bent on hacking into the host.
I've attempted various methods at thwarting brute-force attacks via IPTABLES and CSF, but given the sheer magnitude of IPs and associated subnets from which the login attempts are coming I've found my efforts to be futile.
The password for the root account is semi-complex using UPPERCASE, lowercase, numbers, and symbol characters. It would not be included in any dictionaries. A hacker would need to attempt a maximum of 6,704,780,954,517,120 password combinations before a successful login. Websites that calculate such things tell me that it could take several centuries for someone to brute-force my root password.
So my questions, finally, are...
Joe
I manage a linux server that faces the public Internet. Every day there are thousands-upon-thousands of SSH login attempts on the "root" account (40,000 in the last several days). Within that sample are about 600 unique IPs that are attempting to brute-force my root account. Most of these IPs are on separate subnets. Almost all of the IPs are from outside my country (U.S.).
For various reasons I have chosen not to disable SSH login on this server. I have changed the default SSH port, but know that this is a relatively futile masquerade for someone who's hell-bent on hacking into the host.
I've attempted various methods at thwarting brute-force attacks via IPTABLES and CSF, but given the sheer magnitude of IPs and associated subnets from which the login attempts are coming I've found my efforts to be futile.
The password for the root account is semi-complex using UPPERCASE, lowercase, numbers, and symbol characters. It would not be included in any dictionaries. A hacker would need to attempt a maximum of 6,704,780,954,517,120 password combinations before a successful login. Websites that calculate such things tell me that it could take several centuries for someone to brute-force my root password.
So my questions, finally, are...
- Do I actually have a need to be concerned about all these attempts at hacking 'root', or can I pretty much ignore them considering the sheer magnitude/time it would take to successfully guess the password?
- By leaving my server open to SSH login attempts, what other problems/downsides am I potentially not considering (like additional server load)?
- What are recommended ways to limit SSH logins to specific geographies/countries?
Joe
Last edited: