SSH brute force attacks

Last Updated on 2022-07-08 by Joop Beris

I run my weblog on my server, both out of hobby and because it gives me complete control over the underlying operating system, available software and security mechanisms. As a result, I see all that goes on with this machine, both good and bad.

Since October 24th, the server has been on the receiving end of repeated SSH brute force attacks, meaning an automated process attempting to guess the password of often existing user accounts on servers. Think accounts like “staff”, “root”, or “postmaster”.

Since none of the mentioned accounts exist and/or are not able to login through SSH, these attacks are doomed to fail. The attacks are also rather noisy, meaning they are easy to detect and ward off. They fill up the logs rather quickly with lines like this:

Oct 28 10:10:58 beris sshd[22575]: Failed password for invalid user soporte from 123.59.58.229 port 28568 ssh2

The server is set up to detect and automatically drop connections from hosts after a series of failed logins so SSH brute force attacks are not a cause of much concern. Since the hosts seem to come from a fairly limited set of networks, I got tired of seeing them though. I’ve added the following repeat offenders to the site-wide blacklist, meaning all connection attempts coming from these networks will be unsuccessful:

123.59.32.0/19
37.29.72.0/24
218.236.0.0/14
212.176.198.0/24
212.176.197.0/24
212.13.101.80/29
201.249.128.0/17
201.151.0.0/16
195.218.189.0/24
193.239.242.0/23
190.95.160/19
190.85.0.0/16
190.7.218.24/29
187.128.0.0/12
177.22.192/20
169.32.0.0/11
124.200.0.0/16
123.59.0.0/16
116.16.0.0/12
101.231.72.0/22

I apologize to legitimate users of these networks who may wish to use resources on this server but please do not complain to me, complain to your ISP so they get their act together and tackle the people abusing their infrastructure.

As always, the full blacklist, compiled from various sources and updated every 24 hours, can be downloaded here. Using the list in your firewall or other defence mechanism can help you defend against various attacks, not just SSH brute force attacks but also spam runs, etc.

0 0 votes

Rate this article

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

SSH brute force attacks

If you like this article, why not share it with others who might enjoy it:

If you liked this article, you might enjoy these too:

A word about cookies (not the edible kind)