TheMagicalCFeb 22

The past few days I’ve seen a *massive* uptick in people trying to break into my SSH server. It’s public facing but on a nonstandard port. So many people are trying that my gmail I use to send fail2ban notifs is getting rate limited. Right now I’m getting several per minute, the normal amount is 1-3 per day.

Oh. I just got rate limited again.

Anyone else experiencing something similar?

#cybersecurity #askfedi

Show threadTheMagicalCFeb 23
Another interesting data point: I set up a tar pit using `endlessh` on the port below my actual SSH port, so it would theoretically catch dumb scanners that are attacking all ports sequentially. It caught nobody, which means either these are automated attackers scanning the internet, but sophisticated enough to check for a version string (which endlessh does not provide), or one sophisticated (possibly manual) scanner has set a botnet against my server and this port specifically.
Show threadTheMagicalC
After having a fantastic day out, I came home and moved endlessh to my previous SSH port. It's caught so many bots that `journalctl` is hitting the log limit and discarding earlier logs. That makes me think these *aren't* random but sophisticated bots that search for something with an SSH server version string. Rather, I think someone has manually targeted my server with a botnet.
Feb 23 at 7:59amWeb