Looks like i was quite lucky. At the moment, i was looking at the server notifications and fail2ban started screaming.

Almost 30 different IP addresses were blocked for ssh attack. And the locations are all around the world.

It was a server exposed online via some subdomain. Some ports were open, including 22. Is this something to be expected always?

What do the guy expect?

Does it make sense to report this to DigitalOcean as several of those IPs belong to DO?

https://preview.redd.it/a8hlok99q71c1.png?width=795&format=png&auto=webp&s=4a95b1732afc3c295e0d9ac46e0f3b96ff1be7d6

https://preview.redd.it/dmqscgxcq71c1.png?width=1041&format=png&auto=webp&s=48b6dc14eb8d267510437085717f58fbc880a972

118.45.151.148
125.91.123.149
43.134.180.30
128.199.208.187
43.133.33.240
43.163.218.44
43.156.238.11
129.226.91.96
43.156.240.201
43.134.33.175
43.153.226.222
43.134.231.46
43.154.189.227
159.223.74.41
156.232.11.117
156.232.13.213
43.134.132.76
43.153.202.243
43.134.230.140
43.156.101.180
64.227.176.121
43.159.40.202
124.156.2.182
146.190.142.125
139.59.160.73
49.51.183.1
68.168.132.152
94.72.4.20
103.180.149.5

  • calinet6@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Ha, yeah this is very common.

    I’ve been constantly under attack from about ten times this for around 10 years.

    They brute force common words and try various names as logins. It’s very primitive.

    It waxes and wanes in frequency but averages to three or four per minute.

    I have ssh on port 2222 (which btw they also figure out pretty quickly, I would recommend a less obvious alternative port) and fail2ban catches them after a couple tries, but without fail new ips spin up and resume.

    It’s futile. I don’t have password auth on. They’ll never get in.

    It’s just like people walking down the street coming up to your door to see if it’s unlocked. Or trying car doors for the same. They can try all they want, they’re not getting in.

    Moral of the story: yeah it feels scary, but it’s really not. Make sure you have password auth and root login turned off, and fail2ban is a good call. Otherwise ignore it, it’s just something that will always happen on the internet.

    • ycdrtt@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I once bound a /16 to a server. Dropped like a rock instantly over ssh attacks 😂 over 10,000/s