TheMagicalCFeb 22

The past few days I’ve seen a *massive* uptick in people trying to break into my SSH server. It’s public facing but on a nonstandard port. So many people are trying that my gmail I use to send fail2ban notifs is getting rate limited. Right now I’m getting several per minute, the normal amount is 1-3 per day.

Oh. I just got rate limited again.

Anyone else experiencing something similar?

#cybersecurity #askfedi

Show threadTheMagicalCFeb 23
Another interesting data point: I set up a tar pit using `endlessh` on the port below my actual SSH port, so it would theoretically catch dumb scanners that are attacking all ports sequentially. It caught nobody, which means either these are automated attackers scanning the internet, but sophisticated enough to check for a version string (which endlessh does not provide), or one sophisticated (possibly manual) scanner has set a botnet against my server and this port specifically.
Show threadTaliFeb 23
@cwg1231 not that i know anything, but which ports are you using (both for endlessh and your actual server)?
Show threadTheMagicalC
@self SSHD on 5522, endlessh on 5521. I’ve since swapped endlessh onto 5522 to mess with the attackers.
Feb 23 at 2:45amWeb
Show threadTaliFeb 23
@cwg1231 fascinating... good luck!!
Show threadTheMagicalCFeb 23
@self thanks!