2

Burst of SSH attacks, why?

posted
by
Avatar
echo74alphavictor@alien.topB
in
Avatar
homelab@selfhosted.forum
24 comments
hidereport

Looks like i was quite lucky. At the moment, i was looking at the server notifications and fail2ban started screaming.

Almost 30 different IP addresses were blocked for ssh attack. And the locations are all around the world.

It was a server exposed online via some subdomain. Some ports were open, including 22. Is this something to be expected always?

What do the guy expect?

Does it make sense to report this to DigitalOcean as several of those IPs belong to DO?

https://preview.redd.it/a8hlok99q71c1.png?width=795&format=png&auto=webp&s=4a95b1732afc3c295e0d9ac46e0f3b96ff1be7d6

https://preview.redd.it/dmqscgxcq71c1.png?width=1041&format=png&auto=webp&s=48b6dc14eb8d267510437085717f58fbc880a972

118.45.151.148
125.91.123.149
43.134.180.30
128.199.208.187
43.133.33.240
43.163.218.44
43.156.238.11
129.226.91.96
43.156.240.201
43.134.33.175
43.153.226.222
43.134.231.46
43.154.189.227
159.223.74.41
156.232.11.117
156.232.13.213
43.134.132.76
43.153.202.243
43.134.230.140
43.156.101.180
64.227.176.121
43.159.40.202
124.156.2.182
146.190.142.125
139.59.160.73
49.51.183.1
68.168.132.152
94.72.4.20
103.180.149.5

Sort:
HotTopControversialNewOld
Avatar
hadrabap@alien.topB
2 points

There has been a report that certain devices (IoT, modems, BMCs, routers, switches, remote management) that use proprietary implementation of SSH instead of OpenSSH are vulnerable to private key exposure/compromise.

permalink
report
reply
Avatar
AnApexBread@alien.topB
2 points

It’s bots trying to brute force your SSH login. It happens all the time.

Just change SSH to key based only (disable password login) and move on.

permalink
report
reply
Avatar
tmat256@lemmings.world
1 point

This happens literally all the time for me both personally and professionally. I see mostly low effort attempts across various ports or things like sweeps of common username/password attempts on ssh or common management endpoints on http.

This is why it’s important to keep all publicly accessible servers and services updated and follow standard security guidelines. Things like only using public key auth for ssh for instance.

At work we get hit occasionally in large bursts and have to ban ips for a bit to get them to go away.

permalink
report
reply
Avatar
jykb88@alien.topB
1 point

Is it a good idea to have SSH open to the internet?

permalink
report
reply
Avatar
nolo_me@alien.topB
1 point

As long as you’re running fail2ban there’s no harm in it. Without exception you should disable root login, and ideally you should disable password login and just use keys.

permalink
report
parent
reply
Avatar
BobTheSCV@alien.topB
1 point

Fail2ban does all of nothing to protect you. At best it keeps the noise in the logs down a bit.

Competent attackers tend to use a botnet, blocking and rate limiting does jack shit against 10,000 IPs.

permalink
report
parent
reply
Avatar
MrWizard1979@alien.topB
1 point

When I ran fail2ban, I modified the action to ban a much larger subnet instead of just one IP. I also banned it for 24 hours. Now I run OPNsense with geo blocking and just ignore the logs. It’s just noise.

permalink
report
parent
reply
Avatar
mosaic_hops@alien.topB
1 point

Yes there’s nothing wrong with it. SSH autt is robust.

permalink
report
parent
reply
Avatar
BobTheSCV@alien.topB
1 point

It’s fine, but it’s a good idea to disable password authentication and only permit public key auth. Using a non-standard port helps reduce the spam in the logs a bit.

permalink
report
parent
reply
Avatar
orosmatthew_pixeled@alien.topB
1 point

I use fail2ban too and set the ban limit to 48 hours. I regularly have around 1000 banned IPs

permalink
report
reply

Homelab

!homelab@selfhosted.forum

Create post

Rules

  • Be Civil.
  • Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
  • No memes or potato images.
  • We love detailed homelab builds, especially network diagrams!
  • Report any posts that you feel should be brought to our attention.
  • Please no shitposting or blogspam.
  • No Referral Linking.
  • Keep piracy discussion off of this community

Community stats

  • 9

    Monthly active users

  • 1.4K

    Posts

  • 6K

    Comments

Community moderators