Ever since I bought a VPS, I have been receiving emails like those shown below since day one, every single day. I was wondering if is this really normal? Is there anyway I can prevent it, or is CSF/LFD pretty much my best defense already?
SnapOverflow
This is pretty common at VPS/dedicated server providers. Those networks are targets for bots and script kiddies.
My issue with LFD/CSF and similar tools is that these auto-blocks are really not necessary if you have good security in place.
I find that if you:
Then these scans are more of an annoyance than a real attack.
I also find these auto-block tools create a sense of complacency. You see these emails as "normal" and miss significant threats.
My approach to this is not to alert or even not to auto-block at all. Rate-limiting firewall rules and good security practices render things like lfd unnecessary.
Recommendation
If you want to auto-block, I think you can configure CSF/LFD not to alert you.
In terms of alerts, I always ask myself. What do I do with this information? If you are not doing anything with the info, then probably don't need to see it. It will be logged should you need to review but little point in getting an email about a block that has already happened.
Yes, this is normal. Welcome to the internet. This looks like a log telling you that your server is already blocking them as they fail to guess a password in the first few attempts.
As you always should do, Make sure passwords are strong if they are required. Better is to use only ssh keys and not allow password logins. Consider not allowing root logins to ssh.
If you do these things you have little to worry about. You can run ssh on a non-standard port. It doesn't really get you any more security, especially if you doing things from the above paragraph, but you'd see a decline in the number of failures you are seeing.