For 36 hours now, one of my clients' servers has been logging ssh
login attempts from around the world, low volume, persistent, but more
frequent than usual. sshd is listening on a non-standard port, just to
minimize the garbage in the logs.
A couple of attempts is normal; we've seen that for year
"What's the point?" C'mon, Ted. You know better than that. The point is people
with weak passwords. Remember the Dyn DDoS? That was brought on entirely by
devices with default passwords. As is a RasPi attack I read about on Slashdot
just this AM. Say 90% of servers/devices follow good security p
sshguard takes care of most of them (especially the high bandwidth ones).
The black hats don't care - they're looking for vulnerable systems. If
they find one, they'll exploit it (or not).
Note that a while ago (more than a few years), comcast used to probe
systems to see if they're vulnerable.
sshguard is really good since it'll drop in a iptables rule to block an IP
address after a number of attemps (and prevent knocking on other ports too).
Yubikey as 2FA is pretty nice too.
Original message From: Bruce Dawson Date:
6/11/17 10:58 AM (GMT-05:00) To: gnhlug-discuss@
On 06/11/2017 10:17 AM, Ted Roche wrote:
> For 36 hours now, one of my clients' servers has been logging ssh
> login attempts from around the world, low volume, persistent, but more
> frequent than usual. sshd is listening on a non-standard port, just to
> minimize the garbage in the logs.
>
> A c
Thanks, all for the recommendations. I hadn't seen sshguard before;
I'll give that a try.
I do have Fail2Ban in place, and have customized a number of scripts,
mostly for Apache (trying to invoke asp scripts on my LAMP server
results in instaban, for example) and it is what it reporting the ssh
lo