Is it normal to get hundreds of break-in attempts per day?

You can eliminate 99% of these attempted logins by changing your SSH port from the standard 22 to something else (say 2177 or whatever). Login as root (or su), open the /etc/ssh/sshd_config file and change the port number. Save your changes and restart ssh with "/etc/init.d/ssh restart" and you are good to go. You'll want to update any SSH clients you use to use the proper port (-p option on command line). Hope this helps!

My home firewall catches 20-25 failed login attempts per day, all of which seem to originate in China. I'm tempted to setup a honeypot that'll show a fake bash prompt just to see what gets thrown at it. Naturally I assume there is an elite international force that will stop at nothing to break in and steal the larger original jpegs of my Facebook photos as well as all of my college homework. I'm on to you, elite international force!

I run Rails and became tired of seeing 404s to standard ASP or PHP software (such as phpmyadmin), so I added this to our Apache conf:<p>RewriteRule \.(asp|aspx|php|jsp)$ - [F,L,NC]<p>RewriteRule (w00tw00t) - [F,L,NC]<p>RewriteRule (phpmyadmin) - [F,L,NC]<p>RewriteRule (php-my-admin) - [F,L,NC]<p>That cuts off those requests before they hit a Rails process and suck up any additional resources.

I'm too lazy and too stupid to put in denyhosts or any of the other anti-guessing software, but I have put in a 7-second delay on password-authenticated SSH logins, as per <a href="http://www.aerospacesoftware.com/howtos/ssh-kiddies.html" rel="nofollow">http://www.aerospacesoftware.com/howtos/ssh-kiddies.html</a> That makes my sshd less a honeypot and more a tarpit.<p>I also put in an output line so I can see what passwords they're guessing.

I'd say hundreds is not normal. It is order of magnitude too low.

You MUST try the free and awesome configserver firewall<p><a href="http://configserver.com/cp/csf.html" rel="nofollow">http://configserver.com/cp/csf.html</a><p>It's fantastic. Among a million other things, monitors logs for several kinds failed login attempts and can automagically ban them via iptables (with timeouts if you so desire).<p><i>Be sure to donate to keep this fantastic software alive if you use it.</i>

As some of the commenters on serverfault suggested, the easiest fix is to just disable password auth in sshd_config. No need to fool with denyhost's whitelisting and whatnot, just use public key auth only.

<p><pre><code> sudo apt-get install denyhosts </code></pre> Job done.

If you're running a Rails server on Ubuntu, protecting your server is as simple as deploying your app with Moonshine, with the ssh, iptables, and denyhosts plugins.<p>It requires maybe 7-10 lines of configuration to have a fairly well-insulated system:<p><pre><code> # config/moonshine.yml :ssh: :port: 9024 :allow_users: - rails # app/manifests/application_manifest.rb configure({ :denyhosts =&#62; { :admin_email =&#62; 'admin@example.com' } }) recipe :ssh recipe :iptables recipe :denyhosts</code></pre>

Use a VPN (openvpn), and attach sshd to your VPN subnet instead of using 0.0.0.0 or your publicly routable IP. This is also great for any other services you might want to administer remotely. It's normal to bind your database/cache to 127.0.0.1, but you can also bind to an IP in your VPN subnet, which makes it a little easier than tunneling through SSH to access your database.

Yes. And I'm sure it's been said: fail2ban

There are really two issues here. One is SSH and the other is HTTP.<p>SSH is easy. Get a static ip or figure out the ip range for your ISP. Drop any connection not in that IP range using iptables on that port. Done.<p>HTTP requires more creativity. It really depends on how you have things set up. I have a honeypot default vhost on Apache. If you enter just the IP address for the server, you get the honeypot. That's what most of these bots will hit. The 404 errors caused are very annoying and mess up the logs. On the honeypot, I have a RewriteRule that rewrites anything that would cause a 404 to index.html which is a blank page.

I've noticed this too. Almost immediately after I signed up and created a hosting account with KnownHost, the hacking attempts started, even before I had logged in to Cpanel for the first time.<p>I got an automated email every time somebody failed to log in, so my iPhone was plinging every few seconds for 30 minutes before I added a filter in GMail to mark those mails as read. I've since installed fail2ban.

I've got a script set up to scan my logs and temporarily ban clearly malicious IPs. It finds a few hundred new ones each day.

I have thousands attempts at my nginx server mostly from China and most of them checking for free proxy server. I am even convinced it is some sort of automatic software scanning IP ranges for proxy. Freedom is difficult in some countries.

For SSH break-in attempts an easier solution would be to use a random (at least alpha numeric) userid. These dictionary based attacks only use standard, most generic login ids.

OSSEC (open source) is very good at blocking those. It looks at all your logs and blocks brute forces via SSH, HTTP, etc...<p>Link: <a href="http://ossec.net" rel="nofollow">http://ossec.net</a>

Yes.<p>Well - actually, no. Mere hundreds are kind of abnormally low.

I went to look at my logs and realized I forgot both my own and root's password on my linode. Doh!

I created a free test server on Windows Azure a few weeks ago with remote desktop access enabled and had failed login attempts within 2 minutes of the server going live, without publishing the ip address or dns name anywhere.