TheMagicalC

The past few days I’ve seen a *massive* uptick in people trying to break into my SSH server. It’s public facing but on a nonstandard port. So many people are trying that my gmail I use to send fail2ban notifs is getting rate limited. Right now I’m getting several per minute, the normal amount is 1-3 per day.

Oh. I just got rate limited again.

Anyone else experiencing something similar?

#cybersecurity #askfedi

Feb 22 at 6:55pmWeb
Show threadTheMagicalCFeb 23
Another interesting data point: I set up a tar pit using `endlessh` on the port below my actual SSH port, so it would theoretically catch dumb scanners that are attacking all ports sequentially. It caught nobody, which means either these are automated attackers scanning the internet, but sophisticated enough to check for a version string (which endlessh does not provide), or one sophisticated (possibly manual) scanner has set a botnet against my server and this port specifically.
Show threadTheMagicalCFeb 23
After having a fantastic day out, I came home and moved endlessh to my previous SSH port. It's caught so many bots that `journalctl` is hitting the log limit and discarding earlier logs. That makes me think these *aren't* random but sophisticated bots that search for something with an SSH server version string. Rather, I think someone has manually targeted my server with a botnet.
Show threadTaliFeb 23
@cwg1231 not that i know anything, but which ports are you using (both for endlessh and your actual server)?
Show threadTheMagicalCFeb 23
@self SSHD on 5522, endlessh on 5521. I’ve since swapped endlessh onto 5522 to mess with the attackers.
Show threadTaliFeb 23
@cwg1231 fascinating... good luck!!
Show threadTheMagicalCFeb 23
@self thanks!
Show threadSunDevil311Feb 22

@cwg1231 Similar experience. In my particular case, most inbound connections were from Russia, so applying a geo-block on RU did wonders.

It's still pinging more than I'd think it should, but at least it's banning the offenders.

Show threadTheMagicalCFeb 22
@sundevil311 interesting. I’ll have to see about a geo block, but in the meantime I think it’d be fun to do some additional logging and analysis. Since nobody except me relies on this SSH, I might move the port over and replace it with a tar pit to mess with the attackers.
Show threadMyphatselfFeb 22
@cwg1231 sounds like a typical day for my web server.
Show threadMyphatselfFeb 22
@cwg1231 and my PBX server.
Show threadJM HornerFeb 22
@cwg1231 Is there anyone else SSH'ing in to that box? If not, you could just firewall off everything except your own IP address. If your client device has a dynamic IP address maybe you could use a jumphost instead of direct connection.
Show threadTheMagicalCFeb 22
@jmhorner just me. I could put it behind Tailscale, but I think it’d be fun to mess with the attackers and do some analysis. Both the client and server have dynamic IP addresses. Btw, fantastic instance name.
Show threadSam BriesemeisterFeb 24
@cwg1231 are you looking for tips to mitigate that? If found some nice iptables tricks that have effectively made fail2ban unnecessary in my case…
Show threadTheMagicalCFeb 24
@systemalias I'd love some tips. Fail2ban is adequate, but I'll never turn down more info on mitigation.
Show threadSam BriesemeisterFeb 24

@cwg1231 I can’t share my own scripts currently, as they have some dependencies that wouldn’t make sense to general public use cases… but this page has some good starting points.

https://we.riseup.net/stefani/iptables-recent-module-and-hit-limits

iptables "recent" module and hit limits - stefani - people - Crabgrass

Show threadTheMagicalCFeb 24
@systemalias thanks. Are there any similar examples for nftables, since that’s supposed to eventually replace iptables?