brute force ssh attacks

Bmarsh bmarsh at bmarsh.com
Thu Feb 7 14:33:40 PST 2019 

I always change the port for ssh to something waaay above 1024


 



From: Lonni J Friedman via Linux-users <linux-users at linux-sxs.org>
 Subject: brute force ssh attacks
 Date: 2/7/19 10:49 AM
 To: Linux tips and tricks <linux-users at linux-sxs.org>
 CC: Lonni J Friedman <netllama at gmail.com>
 


For the past few days some bot net has decided to attempt to attack 
sshd on one of my systems with some kind of brute force attach.  Its 
coming from literally a broad swadth of the internet with connection 
attempts like this in the past 24 hours: 
 
    1.9.46.177: 6 times 
    1.22.91.179: 5 times 
    1.23.144.150: 3 times 
    1.34.164.204 (1-34-164-204.HINET-IP.hinet.net): 2 times 
    1.34.177.7 (1-34-177-7.HINET-IP.hinet.net): 1 time 
    1.119.131.102: 5 times 
    1.179.146.156: 2 times 
    1.179.185.50: 2 times 
    1.180.16.156: 3 times 
    1.180.17.229: 2 times 
    1.180.17.239: 3 times 
    1.180.17.245: 2 times 
    1.180.17.253: 3 times 
    1.192.126.125: 1 time 
    1.194.238.224: 3 times 
    1.202.165.40 (40.165.202.1.static.bjtelecom.net): 3 times 
    1.236.151.31: 1 time 
    2.6.219.46 (apoitiers-654-1-28-46.w2-6.abo.wanadoo.fr): 1 time 
    2.31.102.13: 1 time 
    2.238.129.59 (2-238-129-59.ip244.fastwebnet.it): 1 time 
    3.8.16.138 (ec2-3-8-16-138.eu-west-2.compute.amazonaws.com): 5 times 
    3.8.84.231 (ec2-3-8-84-231.eu-west-2.compute.amazonaws.com): 2 times 
    3.17.39.75 (ec2-3-17-39-75.us-east-2.compute.amazonaws.com): 4 times 
    3.104.123.118 
(ec2-3-104-123-118.ap-southeast-2.compute.amazonaws.com): 5 times 
    3.122.149.254 
(ec2-3-122-149-254.eu-central-1.compute.amazonaws.com): 4 times 
    5.2.152.160 (static-5-2-152-160.rdsnet.ro): 3 times 
    5.9.7.117 (static.117.7.9.5.clients.your-server.de): 3 times 
 
 
Except, that its a few thousand attempts every day.  I'm already not 
permitting password based auth for sshd, so the entire exercise is 
futile, but its definitely consuming resources on my side.  I'm aware 
of tools like fail2ban, but I'm not sure that's going to be much value 
when the attacks are a few attempts from a very large number of unique 
sources. 
 
Are there any other good solutions for preventing this sort of thing 
beyond blocking sshd from everywhere except white listed IP addresses? 
 
thanks 
_______________________________________________ 
Linux-users mailing list 
Linux-users at linux-sxs.org 
http://mailman.celestial.com/mailman/listinfo/linux-users 
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/linux-users/attachments/20190207/2ca6fc39/attachment.html>

More information about the Linux-users mailing list