re: Hello, Worm!: Mapping SSH probes with a bash script VIEW POST

FULL DISCUSSION
 

I run fail2ban on any internet-facing systems I'm responsible for. This article mad me curious, so I did a quick scan of my failed logins log (on my personal VPS). Results are pretty grim:

  • logrotate had rotated the log earlier today ...so the following numbers are < 24 hours
  • 5732 attempts
  • 876 unique userids (used tr to convert them all to lowercase then ran that list through uniq)
  • 40,241 login failures cataloged by fail2ban
  • 12,433 IPs banned
  • 55 IPs within the ban-rotation window (1 hour for the ssh service, specifically)

The fail2ban stuff gets even more grim when extended to SMTP

 

+1 for fail2ban! Works like a charm. I've added ip-set to it lately and this has helped to reduce load significantly.

 

Yeah. ip-set rules are great for ensuring across-boot persistence, too.

One of these days, I'll get around to integrating my deployment-configuration with a "phone home" hook that informs the configuration service, "when re-provisioning this host or provisioning new hosts, blacklist these IPs".

 

As much as I dislike "Security by obscurity", there's something to be said for having SSH listening on a non-standard port. My lastb output contains zero failed logins, and the last output shows only expected entries.

I do have various other mechanisms in place to secure SSH, I'm not relying on the non-standard port, but it certainly cuts down the crap.

 

Unfortunately, as a consultant, I initiate connections from a wide variety of locations. Some of those locations block "weird" ports. So, moving to non-default port is generally not an option for me.

code of conduct - report abuse