Looks like i was quite lucky. At the moment, i was looking at the server notifications and fail2ban started screaming.
Almost 30 different IP addresses were blocked for ssh attack. And the locations are all around the world.
It was a server exposed online via some subdomain. Some ports were open, including 22. Is this something to be expected always?
What do the guy expect?
Does it make sense to report this to DigitalOcean as several of those IPs belong to DO?
118.45.151.148
125.91.123.149
43.134.180.30
128.199.208.187
43.133.33.240
43.163.218.44
43.156.238.11
129.226.91.96
43.156.240.201
43.134.33.175
43.153.226.222
43.134.231.46
43.154.189.227
159.223.74.41
156.232.11.117
156.232.13.213
43.134.132.76
43.153.202.243
43.134.230.140
43.156.101.180
64.227.176.121
43.159.40.202
124.156.2.182
146.190.142.125
139.59.160.73
49.51.183.1
68.168.132.152
94.72.4.20
103.180.149.5
This happens literally all the time for me both personally and professionally. I see mostly low effort attempts across various ports or things like sweeps of common username/password attempts on ssh or common management endpoints on http.
This is why it’s important to keep all publicly accessible servers and services updated and follow standard security guidelines. Things like only using public key auth for ssh for instance.
At work we get hit occasionally in large bursts and have to ban ips for a bit to get them to go away.
Is it a good idea to have SSH open to the internet?
As long as you’re running fail2ban there’s no harm in it. Without exception you should disable root login, and ideally you should disable password login and just use keys.
Fail2ban does all of nothing to protect you. At best it keeps the noise in the logs down a bit.
Competent attackers tend to use a botnet, blocking and rate limiting does jack shit against 10,000 IPs.
This is normal background noise and nothing to worry about at all. Just be sure you’re using keypair login and user/password login is disabled.
Don’t use port 22
If you have anything exposed to the internet, this is going to happen. Keep your stuff updated and button it up as much as possible.