Looks like i was quite lucky. At the moment, i was looking at the server notifications and fail2ban started screaming.

Almost 30 different IP addresses were blocked for ssh attack. And the locations are all around the world.

It was a server exposed online via some subdomain. Some ports were open, including 22. Is this something to be expected always?

What do the guy expect?

Does it make sense to report this to DigitalOcean as several of those IPs belong to DO?

https://preview.redd.it/a8hlok99q71c1.png?width=795&format=png&auto=webp&s=4a95b1732afc3c295e0d9ac46e0f3b96ff1be7d6

https://preview.redd.it/dmqscgxcq71c1.png?width=1041&format=png&auto=webp&s=48b6dc14eb8d267510437085717f58fbc880a972

118.45.151.148
125.91.123.149
43.134.180.30
128.199.208.187
43.133.33.240
43.163.218.44
43.156.238.11
129.226.91.96
43.156.240.201
43.134.33.175
43.153.226.222
43.134.231.46
43.154.189.227
159.223.74.41
156.232.11.117
156.232.13.213
43.134.132.76
43.153.202.243
43.134.230.140
43.156.101.180
64.227.176.121
43.159.40.202
124.156.2.182
146.190.142.125
139.59.160.73
49.51.183.1
68.168.132.152
94.72.4.20
103.180.149.5

  • AnApexBreadB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    It’s bots trying to brute force your SSH login. It happens all the time.

    Just change SSH to key based only (disable password login) and move on.

  • tmat256@lemmings.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This happens literally all the time for me both personally and professionally. I see mostly low effort attempts across various ports or things like sweeps of common username/password attempts on ssh or common management endpoints on http.

    This is why it’s important to keep all publicly accessible servers and services updated and follow standard security guidelines. Things like only using public key auth for ssh for instance.

    At work we get hit occasionally in large bursts and have to ban ips for a bit to get them to go away.

  • billiarddaddyB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You’re using standard ports so it’ll happen constantly.

    I moved all my ssh to nonstandard ports.

  • Beneficial_Chair8652B
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Just set a custom port above 60000, and it’ll never get touched. Having SSH open on the WAN is wild though… not sure why you’d do that.

    If you need to access the server remotely and it needs to be WAN-facing, set up a VPN server

  • bufandatlB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    That‘s normal. There are countless bot nets that scan every public available IP to hijack. Using fail2ban is already a good approach. I personally switched to crowdsec a while ago as it comes with a crowdsourced blacklist which will silence a lot of the common noise and only occasionally I get an Alarm about an IP address not already on the default list.