If your server is online and out there, it’s probably being already attacked by someone with brute force. This means that someone is running a script trying to guess your root password so it can use your hardware for benefit.

I ran into this problem recently after just weeks of publishing my website. You can see this from your ‘auth.log’:

Sep 17 19:22:19 metsanheimo sshd[32610]: Failed password for root from 43.229.53.31 port 28388 ssh2
Sep 17 19:22:23 metsanheimo sshd[32610]: message repeated 2 times: [ Failed password for root from 43.229.53.31 port 28388 ssh2]
Sep 17 19:22:23 metsanheimo sshd[32610]: Received disconnect from 43.229.53.31: 11:  [preauth]
Sep 17 19:22:23 metsanheimo sshd[32610]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.31  user=root
Sep 17 19:22:26 metsanheimo sshd[32616]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.31  user=root
Sep 17 19:22:28 metsanheimo sshd[32616]: Failed password for root from 43.229.53.31 port 48391 ssh2
Sep 17 19:22:33 metsanheimo sshd[32616]: message repeated 2 times: [ Failed password for root from 43.229.53.31 port 48391 ssh2]
Sep 17 19:22:33 metsanheimo sshd[32616]: Received disconnect from 43.229.53.31: 11:  [preauth]
Sep 17 19:22:33 metsanheimo sshd[32616]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.31  user=root
Sep 17 19:22:35 metsanheimo sshd[32618]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.31  user=root
Sep 17 19:22:37 metsanheimo sshd[32618]: Failed password for root from 43.229.53.31 port 12230 ssh2
Sep 17 19:22:41 metsanheimo sshd[32618]: message repeated 2 times: [ Failed password for root from 43.229.53.31 port 12230 ssh2]
Sep 17 19:22:41 metsanheimo sshd[32618]: Received disconnect from 43.229.53.31: 11:  [preauth]
Sep 17 19:22:41 metsanheimo sshd[32618]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.31  user=root

Here you can see, that here’s several attempts to log in from the same IP address ‘43.229.53.31’ within the same minute (even more attempts than these listed above). If they keep this up for three years and you don’t have a decent password, they might even pull it off.

To stop this spam I came across a package called ‘fail2ban’. This package with default settings blocks the attacker’s IP address after five SSH connection attempts for 10 minutes (600 seconds).

Installing fail2ban

It’s simple:

sudo apt-get update
sudo apt-get install fail2ban

It works right out of the box! You can check out the logs at ‘/var/log/fail2ban’. The file jail.log shows the most important actions.

If you want to configure the package, you need to copy the conf file like this:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then you can go ahead and change the maximum attempts or the ban time in the ‘jail.local’ file.