My Oracle Support Banner

OCI-How to mitigate brute force ssh attempts to the Oracle Cloud Infrastructure Oracle Linux Instance (Doc ID 2498768.1)

Last updated on MARCH 12, 2021

Applies to:

Oracle Cloud Infrastructure - Version N/A to N/A [Release 1.0]
Information in this document applies to any platform.

Symptoms

In /var/log/secure file, there are a huge amount of login trials as follows:

Jan 25 01:37:27 <_HOST_> sshd[21819]: Invalid user <USER1> from xxx.xxx.xxx.xxx port 57770
Jan 25 01:37:27 <_HOST_> sshd[21819]: input_userauth_request: invalid user <USER1> [preauth]
Jan 25 01:37:27 <_HOST_> sshd[21819]: Received disconnect from xxx.xxx.xxx.xxx port 57770:11: Bye Bye [preauth]
Jan 25 01:37:27 <_HOST_> sshd[21819]: Disconnected from xxx.xxx.xxx.xxx port 57770 [preauth]
Jan 25 01:37:33 <_HOST_> sshd[21824]: Invalid user <USER2> from x.x.x.x port 46514
Jan 25 01:37:33 <_HOST_> sshd[21824]: input_userauth_request: invalid user <USER2> [preauth]
Jan 25 01:37:33 <_HOST_> sshd[21824]: Received disconnect from x.x.x.x port 46514:11: Bye Bye [preauth]
Jan 25 01:37:33 <_HOST_> sshd[21824]: Disconnected from x.x.x.x port 46514 [preauth]
Jan 25 01:37:35 <_HOST_> sshd[21822]: Invalid user <USER3 from xx.xx.xx.xx port 56374
Jan 25 01:37:35 <_HOST_> sshd[21822]: input_userauth_request: invalid user <USER3> [preauth]
Jan 25 01:37:35 <_HOST_> sshd[21822]: Connection closed by xx.xx.xx.xx port 56374 [preauth]
Jan 25 01:38:02 <_HOST_> sshd[21829]: Invalid user <USER4> from xx.xx.xx.xx port 58642
Jan 25 01:38:02 <_HOST_> sshd[21829]: input_userauth_request: invalid user <USER4> [preauth]

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
 Harden ssh on the instance
 Use TCP Wrappers
 Use Netfilter and IPtables

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.