this post was submitted on 19 Nov 2023
2 points (100.0% liked)

Homelab

371 readers
9 users here now

Rules

founded 1 year ago
MODERATORS
 

Looks like i was quite lucky. At the moment, i was looking at the server notifications and fail2ban started screaming.

Almost 30 different IP addresses were blocked for ssh attack. And the locations are all around the world.

It was a server exposed online via some subdomain. Some ports were open, including 22. Is this something to be expected always?

What do the guy expect?

Does it make sense to report this to DigitalOcean as several of those IPs belong to DO?

https://preview.redd.it/a8hlok99q71c1.png?width=795&format=png&auto=webp&s=4a95b1732afc3c295e0d9ac46e0f3b96ff1be7d6

https://preview.redd.it/dmqscgxcq71c1.png?width=1041&format=png&auto=webp&s=48b6dc14eb8d267510437085717f58fbc880a972

118.45.151.148
125.91.123.149
43.134.180.30
128.199.208.187
43.133.33.240
43.163.218.44
43.156.238.11
129.226.91.96
43.156.240.201
43.134.33.175
43.153.226.222
43.134.231.46
43.154.189.227
159.223.74.41
156.232.11.117
156.232.13.213
43.134.132.76
43.153.202.243
43.134.230.140
43.156.101.180
64.227.176.121
43.159.40.202
124.156.2.182
146.190.142.125
139.59.160.73
49.51.183.1
68.168.132.152
94.72.4.20
103.180.149.5

top 24 comments
sorted by: hot top controversial new old
[–] hadrabap@alien.top 2 points 1 year ago

There has been a report that certain devices (IoT, modems, BMCs, routers, switches, remote management) that use proprietary implementation of SSH instead of OpenSSH are vulnerable to private key exposure/compromise.

[–] AnApexBread@alien.top 2 points 1 year ago

It's bots trying to brute force your SSH login. It happens all the time.

Just change SSH to key based only (disable password login) and move on.

[–] murdaBot@alien.top 1 points 1 year ago

This is completely normal for a machine exposed to the internet. In the words of Obi Wan, "Nothing to see here, move along ..."

[–] tmat256@lemmings.world 1 points 1 year ago

This happens literally all the time for me both personally and professionally. I see mostly low effort attempts across various ports or things like sweeps of common username/password attempts on ssh or common management endpoints on http.

This is why it's important to keep all publicly accessible servers and services updated and follow standard security guidelines. Things like only using public key auth for ssh for instance.

At work we get hit occasionally in large bursts and have to ban ips for a bit to get them to go away.

[–] jykb88@alien.top 1 points 1 year ago (3 children)

Is it a good idea to have SSH open to the internet?

[–] mosaic_hops@alien.top 1 points 1 year ago

Yes there’s nothing wrong with it. SSH autt is robust.

[–] nolo_me@alien.top 1 points 1 year ago (1 children)

As long as you're running fail2ban there's no harm in it. Without exception you should disable root login, and ideally you should disable password login and just use keys.

[–] BobTheSCV@alien.top 1 points 1 year ago (1 children)

Fail2ban does all of nothing to protect you. At best it keeps the noise in the logs down a bit.

Competent attackers tend to use a botnet, blocking and rate limiting does jack shit against 10,000 IPs.

[–] MrWizard1979@alien.top 1 points 1 year ago

When I ran fail2ban, I modified the action to ban a much larger subnet instead of just one IP. I also banned it for 24 hours. Now I run OPNsense with geo blocking and just ignore the logs. It's just noise.

[–] BobTheSCV@alien.top 1 points 1 year ago

It's fine, but it's a good idea to disable password authentication and only permit public key auth. Using a non-standard port helps reduce the spam in the logs a bit.

[–] mosaic_hops@alien.top 1 points 1 year ago

This is normal background noise and nothing to worry about at all. Just be sure you’re using keypair login and user/password login is disabled.

[–] hypercyanate@alien.top 1 points 1 year ago

Don't use port 22

[–] evilkasper@alien.top 1 points 1 year ago

If you have anything exposed to the internet, this is going to happen. Keep your stuff updated and button it up as much as possible.

[–] clarkcox3@alien.top 1 points 1 year ago (1 children)

Don’t use port 22 for ssh, and run something like endlessh on port 22.

[–] MrJake2137@alien.top 1 points 1 year ago

Is there some program that lets anyone in and logs their activity?

[–] artequilibrium@alien.top 1 points 1 year ago

They’re called love taps, the internet loves you ❤️

[–] calinet6@alien.top 1 points 1 year ago (1 children)

Ha, yeah this is very common.

I’ve been constantly under attack from about ten times this for around 10 years.

They brute force common words and try various names as logins. It’s very primitive.

It waxes and wanes in frequency but averages to three or four per minute.

I have ssh on port 2222 (which btw they also figure out pretty quickly, I would recommend a less obvious alternative port) and fail2ban catches them after a couple tries, but without fail new ips spin up and resume.

It’s futile. I don’t have password auth on. They’ll never get in.

It’s just like people walking down the street coming up to your door to see if it’s unlocked. Or trying car doors for the same. They can try all they want, they’re not getting in.

Moral of the story: yeah it feels scary, but it’s really not. Make sure you have password auth and root login turned off, and fail2ban is a good call. Otherwise ignore it, it’s just something that will always happen on the internet.

[–] ycdrtt@alien.top 1 points 1 year ago (1 children)

I once bound a /16 to a server. Dropped like a rock instantly over ssh attacks 😂 over 10,000/s

[–] RolledUhhp@alien.top 1 points 1 year ago

Could you dumb this down for the class, what do you mean by 'bound a /16'?

[–] billiarddaddy@alien.top 1 points 1 year ago (1 children)

You're using standard ports so it'll happen constantly.

I moved all my ssh to nonstandard ports.

[–] mosaic_hops@alien.top 1 points 1 year ago

Bots will find it pretty quickly. Remember the first thing that happens when you connect to an SSH server is get a message saying “Hi, I’m an SSH server! How are you today?”.

Just set a custom port above 60000, and it’ll never get touched. Having SSH open on the WAN is wild though.. not sure why you’d do that.

If you need to access the server remotely and it needs to be WAN-facing, set up a VPN server

[–] orosmatthew_pixeled@alien.top 1 points 1 year ago

I use fail2ban too and set the ban limit to 48 hours. I regularly have around 1000 banned IPs

[–] bufandatl@alien.top 1 points 1 year ago

That‘s normal. There are countless bot nets that scan every public available IP to hijack. Using fail2ban is already a good approach. I personally switched to crowdsec a while ago as it comes with a crowdsourced blacklist which will silence a lot of the common noise and only occasionally I get an Alarm about an IP address not already on the default list.