How to Reduce Failed/Brute-force Login Attempts

I'd like to see if somebody has been trying to log-in by brute-force into my Ubuntu 12.04 server over SSH. How can I see if such activities have been taking place?

All login attempts are logged to /var/log/auth.log.

1. Filter for brute-force interactive SSH logins

Open a terminal, and type the below; if it's longer than 1 page you will be able to scroll up and down; type q to exit:

grep sshd.\*Failed /var/log/auth.log | less

 Here's a real example from one of my Ubuntu:

·         Aug 18 11:00:57 izxvps sshd[5657]: Failed password for root from 95.58.255.62 port 38980 ssh2

·         Aug 18 23:08:26 izxvps sshd[5768]: Failed password for root from 91.205.189.15 port 38156 ssh2

·         Aug 18 23:08:30 izxvps sshd[5770]: Failed password for nobody from 91.205.189.15 port 38556 ssh2

·         Aug 18 23:08:34 izxvps sshd[5772]: Failed password for invalid user asterisk from 91.205.189.15 port 38864 ssh2

·         Aug 18 23:08:38 izxvps sshd[5774]: Failed password for invalid user sjobeck from 91.205.189.15 port 39157 ssh2

·         Aug 18 23:08:42 izxvps sshd[5776]: Failed password for root from 91.205.189.15 port 39467 ssh2

2. Look for failed connections (i.e. no login attempted, could be a port scanner, etc.):

Use this command:

grep sshd.*Did /var/log/auth.log | less

Example:

·         Aug  5 22:19:10 izxvps sshd[7748]: Did not receive identification string from 70.91.222.121

·         Aug 10 19:39:49 izxvps sshd[1919]: Did not receive identification string from 50.57.168.154

·         Aug 13 23:08:04 izxvps sshd[3562]: Did not receive identification string from 87.216.241.19

·         Aug 17 15:49:07 izxvps sshd[5350]: Did not receive identification string from 211.22.67.238

·         Aug 19 06:28:43 izxvps sshd[5838]: Did not receive identification string from 59.151.37.10

How to reduce failed/brute-force login attempts

·         Try switching your SSH to a non-standard port from the default 22

·         Or install an auto-ban script such as fail2ban

Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email.

By default, it comes with filter expressions for various services (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be easily extended for monitoring any other text file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls.