Protect yo self (also, this sub needs a security flair)
i mean fail2ban will stop them from constantly knocking; but you should be using key-based authentication on any ssh server you can access from the outside.
I got tired of fail2ban blocking so many IPs from China, one day I decided to figure out all of the CIDDRs from China Telecom and blocked them outright at my router. Fail2ban didn’t have that many hosts going into the fail list after that.
Yeah that’s China. I’ve had to block entire network blocks from them countless times.
People are always talking about Russia this and Russia that. China blows them away in comparison.
I’m still not very experienced in the field and my previous boss told me it was not normal to have connection attempts on our static public IP.
I told him those were just bots but he didn’t want to listen.
Can someone explain to me what was really going on?
The router was showing us the countries the IP were from and it was from all over the world.
I felt kinda dumb not being able to convince him or giving him the answer he wanted or that could ease his worries.
You should make another graph for the top ten grouped by ISP/provider
using Unifi I block all of china and most of eastern Europe, in and outbound.
I should post my threat log from my Palo Alto 220 Firewall.
EDIT*
Here are the last 6 hours on my home Palo Alto Networks firewall, don’t let anyone tell you Russia/China doesn’t hack people.
Source Country/Count
Russian Federation 653
China 93
Brazil 5
Romania 2
Kazakhstan 2
Seychelles 1
Iran Islamic Republic Of 1
Turkey 1
I change the default sshd port, use ssh keys, turn off password authentication, and then forget about it. I’m not sure what the point of fail2ban is tbh other than to cut down on log spam.
I’d use a udp hole punch vpn like zero tier. This way you don’t need any open ports and you still have ssh access you can still use fail2ban etc.
Which firewall software are you running to see this graph.
The data I’d like to see is how different these numbers would be if you compared machines running ssh on something besides 22, also maybe what it’s like if it’s above 1024 and then also in the ephemeral range.
I have an Unifi Drem Machine Pro as a gateway of my network and I implemented GeoIP blocking. China is among the countries blocked as well as the whole of Africa.
But yes, Fail to Ban is the best solution for any other incoming request.
What’s the deal with France? 3rd place.
Why do you gathering this statistc from all the world,when you can just add to the firewall geoip rule to block all connections attempts to you SSH port from all the world,except you country, for example?
My all servers have ruleset which allow at the top all common services for all (for example 80, 443) and then there is a rule to block all not from my country.And below that block rule are placed rules for acces server only for me and our company - SSH 22, SMTP for clients 465,IMAPS and other. And my fail2ban jails are clear! Because drop all world’s traffic to the ports i need to connect only from my country makes security level of my servers very high.
This way im using on linux servers and Mikrotik routers. Works like a charm!
I just started using WireGuard to protect my ssh port. It’s an open-source stealth UDP VPN that only responds when the source authenticates with the right private key. Nothing to port scan so the attacker doesn’t know you’re there to attack.
Why does everyone seem to have ssh exposed? I understand remote access, but how is it not locked down by vpn?
I went one step further and just flat out banned all of China and a bunch of other problematic countries at the router both inbound and outbound.
Does mean GetADMX is blocked, but I can go through UltraSurf for that.
See, this is why I just expose RDP and not SSH…
(is sarcasm. or is?)
Funny how regular people associate Russia to be hackers but nah. Stay safe!