brute force ssh attacks

Michael Hipp michael at redmule.com
Thu Feb 7 08:30:17 PST 2019 

Move sshd to some oddball high port number.

Michael


On 2/7/19 9:36 AM, Lonni J Friedman via Linux-users wrote:
> For the past few days some bot net has decided to attempt to attack
> sshd on one of my systems with some kind of brute force attach.  Its
> coming from literally a broad swadth of the internet with connection
> attempts like this in the past 24 hours:
>
>      1.9.46.177: 6 times
>      1.22.91.179: 5 times
>      1.23.144.150: 3 times
>      1.34.164.204 (1-34-164-204.HINET-IP.hinet.net): 2 times
>      1.34.177.7 (1-34-177-7.HINET-IP.hinet.net): 1 time
>      1.119.131.102: 5 times
>      1.179.146.156: 2 times
>      1.179.185.50: 2 times
>      1.180.16.156: 3 times
>      1.180.17.229: 2 times
>      1.180.17.239: 3 times
>      1.180.17.245: 2 times
>      1.180.17.253: 3 times
>      1.192.126.125: 1 time
>      1.194.238.224: 3 times
>      1.202.165.40 (40.165.202.1.static.bjtelecom.net): 3 times
>      1.236.151.31: 1 time
>      2.6.219.46 (apoitiers-654-1-28-46.w2-6.abo.wanadoo.fr): 1 time
>      2.31.102.13: 1 time
>      2.238.129.59 (2-238-129-59.ip244.fastwebnet.it): 1 time
>      3.8.16.138 (ec2-3-8-16-138.eu-west-2.compute.amazonaws.com): 5 times
>      3.8.84.231 (ec2-3-8-84-231.eu-west-2.compute.amazonaws.com): 2 times
>      3.17.39.75 (ec2-3-17-39-75.us-east-2.compute.amazonaws.com): 4 times
>      3.104.123.118
> (ec2-3-104-123-118.ap-southeast-2.compute.amazonaws.com): 5 times
>      3.122.149.254
> (ec2-3-122-149-254.eu-central-1.compute.amazonaws.com): 4 times
>      5.2.152.160 (static-5-2-152-160.rdsnet.ro): 3 times
>      5.9.7.117 (static.117.7.9.5.clients.your-server.de): 3 times
>
>
> Except, that its a few thousand attempts every day.  I'm already not
> permitting password based auth for sshd, so the entire exercise is
> futile, but its definitely consuming resources on my side.  I'm aware
> of tools like fail2ban, but I'm not sure that's going to be much value
> when the attacks are a few attempts from a very large number of unique
> sources.
>
> Are there any other good solutions for preventing this sort of thing
> beyond blocking sshd from everywhere except white listed IP addresses?
>
> thanks
> _______________________________________________
> Linux-users mailing list
> Linux-users at linux-sxs.org
> http://mailman.celestial.com/mailman/listinfo/linux-users

More information about the Linux-users mailing list