brute force ssh attacks

Lonni J Friedman netllama at gmail.com
Thu Feb 7 13:51:27 PST 2019 

Its already on an oddball high port number.  The botnets are way more
sophisticated these days than they used to be.   There really isn't
any security through obscurity any longer.

On Thu, Feb 7, 2019 at 8:33 AM Michael Hipp via Linux-users
<linux-users at linux-sxs.org> wrote:
>
> Move sshd to some oddball high port number.
>
> Michael
>
>
> On 2/7/19 9:36 AM, Lonni J Friedman via Linux-users wrote:
> > For the past few days some bot net has decided to attempt to attack
> > sshd on one of my systems with some kind of brute force attach.  Its
> > coming from literally a broad swadth of the internet with connection
> > attempts like this in the past 24 hours:
> >
> >      1.9.46.177: 6 times
> >      1.22.91.179: 5 times
> >      1.23.144.150: 3 times
> >      1.34.164.204 (1-34-164-204.HINET-IP.hinet.net): 2 times
> >      1.34.177.7 (1-34-177-7.HINET-IP.hinet.net): 1 time
> >      1.119.131.102: 5 times
> >      1.179.146.156: 2 times
> >      1.179.185.50: 2 times
> >      1.180.16.156: 3 times
> >      1.180.17.229: 2 times
> >      1.180.17.239: 3 times
> >      1.180.17.245: 2 times
> >      1.180.17.253: 3 times
> >      1.192.126.125: 1 time
> >      1.194.238.224: 3 times
> >      1.202.165.40 (40.165.202.1.static.bjtelecom.net): 3 times
> >      1.236.151.31: 1 time
> >      2.6.219.46 (apoitiers-654-1-28-46.w2-6.abo.wanadoo.fr): 1 time
> >      2.31.102.13: 1 time
> >      2.238.129.59 (2-238-129-59.ip244.fastwebnet.it): 1 time
> >      3.8.16.138 (ec2-3-8-16-138.eu-west-2.compute.amazonaws.com): 5 times
> >      3.8.84.231 (ec2-3-8-84-231.eu-west-2.compute.amazonaws.com): 2 times
> >      3.17.39.75 (ec2-3-17-39-75.us-east-2.compute.amazonaws.com): 4 times
> >      3.104.123.118
> > (ec2-3-104-123-118.ap-southeast-2.compute.amazonaws.com): 5 times
> >      3.122.149.254
> > (ec2-3-122-149-254.eu-central-1.compute.amazonaws.com): 4 times
> >      5.2.152.160 (static-5-2-152-160.rdsnet.ro): 3 times
> >      5.9.7.117 (static.117.7.9.5.clients.your-server.de): 3 times
> >
> >
> > Except, that its a few thousand attempts every day.  I'm already not
> > permitting password based auth for sshd, so the entire exercise is
> > futile, but its definitely consuming resources on my side.  I'm aware
> > of tools like fail2ban, but I'm not sure that's going to be much value
> > when the attacks are a few attempts from a very large number of unique
> > sources.
> >
> > Are there any other good solutions for preventing this sort of thing
> > beyond blocking sshd from everywhere except white listed IP addresses?
> >
> > thanks
> > _______________________________________________
> > Linux-users mailing list
> > Linux-users at linux-sxs.org
> > http://mailman.celestial.com/mailman/listinfo/linux-users
>
> _______________________________________________
> Linux-users mailing list
> Linux-users at linux-sxs.org
> http://mailman.celestial.com/mailman/listinfo/linux-users

More information about the Linux-users mailing list