Follow

I've been analysing a fail2ban logfile, for a server which is used for: HTTP, IMAP & SMTP. I was amazed to discover that bans for SSH infringements outnumber those for all other sevices combined by a factor of 15:1.

I've also made a comparison with some old fail2ban logfiles from a couple of years ago, on different servers (same profile, roughly same filter rules). The ratio was just 4:1. This is a very small, un-representative data set, but it has me wondering if there has been a huge increase in the targeting of SSH in the last couple of years.

Show thread

@fitheach All of us who do it recognize that it is 'security through obscurity' - we just do it to keep the noise in our logs down to a dull roar, but do you use port 22 or some random high port? Stops the simplest and most common script kiddie stuff from cluttering your logs.

@gemlog
I'm often tempted to ban all IPs originating from China & Russia, that would get rid of 90% of nefarious activity.

Not only log clutter, but it wastes valuable CPU time. [Wet finger in the air assessment] Older versions of fail2ban which used Python 2 seemed to use more resources than the newer version using Python 3.

@fitheach Don't laugh, I used to do just that!
When I had an income producing site (i.e. it sold courses) I had a logging monitor on synergy above my desk. Nasty stuff blinked red. If I saw too much it was a quick cp/paste into a loop in a shell to DROP that ip. More irritation and I'd look up the range.
Attacks seem to move in clouds across the globe. I've variously blocked most of china, russia, brazil...
I had reasoned that no one there needed cdn con-ed, but some ex-pats complained.

@gemlog
In the end I didn't do it, but it did make sense as the services being provided didn't target China or Russia.

One of the issues I had was bot networks which would only hit my server with the same IP twice, then move on to the next IP under their control. Blocking those using fail2ban was impossible.

@fitheach I found lots of times those were the same country or the same isp and a range would work. Otherwise, you just live in hope that all your sites, and tools, and add-ons, and kernel and, and ... are well patched and up to date :-(
devops is stress city and no way around it that I know about.

@fitheach never analyzed mine, but from time to time I drop an eye, and I would say the same thing :/

@lemeteore
One of the big changes was the drop in nefarious activity towards the webserver. Two years ago there were a lot more attempts trying to access PHP stuff like phpmyadmin (and these servers didn't use PHP).

@fitheach I won't say there is a drop on nefarious activities towards my webservers, still receive a lot of PHP related requests on servers with no PHP at all

@lemeteore
Yes. same here, but the number of PHP requests have gone down dramatically, and the SSH stuff rocketed.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!