jwildeboer, 11 months ago

As you can see, the attacking IP addresses try continuously to flood my mail server. Compare that to the attempts to brute-force SASL logins, which are just 1 try per IP, indicating these attacks come from a botnet.

jwildeboer, 11 months ago

The brute-force SSH login attempts are, like the spam attempts, coming from longer running scripts on typically cheap VPSes that run until someone notices and shuts them down (or not. some hosting companies don't give a sh*it about such abuse)

DrWhoZee, 11 months ago

@jwildeboer I moved the SSH port to something unusual, that got rid of the SSH spam. One less thing to look at.

jwildeboer, 11 months ago

deleted_by_author

DrWhoZee, 11 months ago

@jwildeboer ah, ok. Guess I had the more dumb ones. Evolution‘s a bitch.

stacey_campbell, 11 months ago

@jwildeboer I always ponder what their reaction would be if they were to finally gain access to the crappy little Raspberry Pi waiting for them on the other side of the non-standard ssh port at my house. Presumably extreme disappointment.

scips, 11 months ago

@jwildeboer I use:

sudo iptables -N attacks; iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j attacks; iptables -A attacks -j LOG --log-prefix "FW_DROPPED: "; iptables -A attacks -j DROP

Any better way to drop them?

ERDonnachie, 11 months ago

deleted_by_author

jwildeboer, 11 months ago

deleted_by_author

ERDonnachie, 11 months ago

@jwildeboer
Will have to take a look at that. It's crazy how many people/bots try to abuse any old server with IP address. I've been running fail2ban for quite a while, but maybe the crowdsourcing is worth having.

keithzg, 11 months ago

@jwildeboer Always fun to watch such waves come in and spend themselves.