home about
blog 2003 2004 2005 2006 2007 2008 2017 2018 2019 2020
tech android linux vim

17: I got tired of ssh brute force attempts

2019-11-17 10:15

Tags: software fail2ban frustration security ssh

...And installed fail2ban.

Can't say it'll be of much help or not, but so far it seems so.

I've always used a script I created myself or denyhosts in the past. I liked denyhosts because it was fairly simple to administrate.

The hand-rolled I wrote myself has been lost to the ravages of bit rot. I had it in a version control repo and eventually had to remove it, as the scripted commits had made the repo size so unwieldy I couldn't deal with it any more. I liked how it worked, though, it collected failed authorisation attempts from auth.log and added the IPs/domains directly to a text file from which my firewall rules were sourced on an interval. It was pretty flexible, though I likely could have made it better given the energy and time.

The worse my disabilities get, though, the less inclined I am to bother fixing things when they break, so this is rather important when selecting a solution for something like this. If something breaks enough to need a lot of keystrokes, I often give up and don't bother, leaving things undone/broken. This keeps me from feeling broken myself, or setting my physical health back too far.

This is also why my self-written solution fell by the wayside -- I enjoyed writing it, and loved that I'd made it myself and knew its limitations and strengths, but unfortunately it was just too much to maintain when computer use is so physically and mentally taxing.

Regardless of all that, I may start posting my iptables rules monthly. Since I sort of got off to a late start, having only installed a week ago.

Here is a list of IPs actively attempting to circumvent the security on my VPS.

^-*--2019-11-17-10:34:34->-clover@lunix.org--==--.
,-~-* sudo fail2ban-client status sshd | grep -e banned:
      |- Currently banned: 187
      |- Total banned:     187
^-*--2019-11-17-10:32:09->-clover@lunix.org--==--.
,-~-* sudo iptables -L f2b-sshd | grep -e '^REJECT' | awk '{print $4}' | sort  -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4
broadband.actcorp.in
cws_fw.cwseychelles.com
freenet0.afn.org
h109-124-148-164.cust.a3fiber.se
h63-n44.es.gov.br
hn.ly.kd.adsl
host203-180-211-80.serverdedicati.aruba.it
host204.advance.com.ar
host72-244-211-80.static.arubacloud.pl
host93-18-61-217.static.arubacloud.com
host.ostkom.lv
ip119.ip-51-75-165.eu
ip-160-153-245-134.ip.secureserver.net
ip17.ip-51-254-57.eu
ip5f5a8e37.dynamic.kabel-deutschland.de
mail.businesstechnology.xyz
mail.mugef-ci.com
mgk.iprosoft.ru
mymcol.com.co
ns3014527.ip-149-202-65.eu
ns354139.ip-91-121-103.eu
ns375206.ip-5-196-88.eu
ns527545.ip-198-245-50.net
pbsincusa.com
static-176-159-245-147.ftth.abo.bbox.fr
static-201-244-94-189.static.etb.net.co
static.vnpt.vn
togugg.ultrasrv.de
un.bacloud.info
1.179.220.209
1.232.77.64
1.245.61.144
2-51-15-51.rev.cloud.scaleway.com
13.77.142.89
15.ip-54-37-230.eu
16.ip-51-83-46.eu
22.46.5.122.broad.yt.sd.dynamic.163data.com.cn
23.ip-51-38-98.eu
36.103.241.211
36.111.171.108
39.91.4.119
40.73.76.102
40.87.127.217
43-229-128-128.static.hostcentral.net
45.55.231.94
45.249.111.40
49.88.112.71
49.231.228.107
49.234.60.13
49.234.96.205
49.235.251.41
49.247.207.56
58.254.132.156
60-249-21-132.HINET-IP.hinet.net
60.29.241.2
62.234.122.141
68.183.133.21
87.ip-51-77-148.eu
91.106.193.72
92.ip-51-255-49.eu
95.85.60.251
101.91.179.185
103.21.150.27
103.133.108.33
103.235.170.195
106.12.7.75
106.12.24.108
106.12.30.59
106.12.81.159
106.13.1.203
106.13.119.163
106.13.143.111
106.13.204.251
106.52.116.101
106.54.160.59
106.75.176.111
107-173-145-168-host.colocrossing.com
111.230.105.196
112.85.42.72
112.169.152.105
112.197.171.67
113.164.244.98
114.67.72.229
114.67.80.161
115.231.174.170
117.ip-193-70-2.eu
118.24.221.190
118.193.31.20
119.28.212.100
119.203.59.159
120.132.29.195
122.114.63.95
123.58.33.18
124.16.136.100
125.212.207.205
127.ip-213-32-16.eu
128.199.137.252
128.199.224.73
129.204.52.150
129.213.63.120
129.213.194.201
132.232.38.247
132.232.112.25
136.228.161.66
138.68.165.102
138.197.222.141
139.59.84.111
139.198.4.44
140.143.63.24
144-135-85-184.tpips.telstra.com
148.66.135.178
149.129.242.80
152.32.164.39
154.202.14.250
157.230.239.99
159.65.13.203
159.89.154.19
160.ip-46-105-29.eu
160.119.142.20
161.ip-79-137-86.eu
164.52.12.210
165.227.77.120
167.71.123.183
168.232.128.183
175.107.198.23
175.211.105.99
176.32.34.90
177-101-255-28.static.stech.net.br
177.1.214.207
177.135.93.227.static.gvt.net.br
178.62.181.74
178.128.223.243
179-189-191-147.mastercabo.com.br
180.ip-51-89-148.eu
180.68.177.209
180.167.254.238
182.61.133.172
182.61.148.116
182.106.217.138
183.48.34.249
183.71.0.152.d.dyn.claro.net.do
188.166.108.161
190.111.115.90
193.112.14.81
193.112.121.63
195-154-108-203.rev.poneytelecom.eu
200.27.3.37
203.142.69.203
206.189.229.112
211.159.152.252
212.144.102.217
213.6.8.38
217.160.44.145
218.92.0.137
218.241.172.122
218.241.243.197
220.248.30.58
222.128.14.106
222.186.42.4
222.186.169.192
222.186.169.194
222.186.173.142
222.186.173.154
222.186.173.180
222.186.173.183
222.186.173.215
222.186.173.238
222.186.175.148
222.186.175.155
222.186.175.161
222.186.175.167
222.186.175.169
222.186.175.182
222.186.175.183
222.186.175.202
222.186.175.212
222.186.175.215
222.186.175.220
222.186.180.6
222.186.180.8
222.186.180.9
222.186.180.17
222.186.180.41
222.186.180.147
222.186.180.223
222.186.190.2
222.186.190.92

If you'd like to install fail2ban yourself, it's super easy on Devuan (or Debian). It may be on Ubuntu, too, I haven't used it in years.

Note that if your IP gets banned, you will not be able to shell in, and will have to fix it through your host/VPS interfac. (For me, on Linode, I simply sign in through LISH for such things, then):

11:32: update

If you'd like your IP or domain name removed from this page, simply stop attempting to break into my OpenSSH daemon. Easy.





© 1995-2020 clover