Looking at one of my servers that services an external address, I see about 100 IPs listed in the authlog file that are trying various passwords and such to break in. Its not even a main server (www, mail, dns, etc.). Of course, I use keys only for login, but it is a bit annoying. I guess I am getting quite a block list built.
So, does the author expect me to report all these IPs? Who would I send them to? Is there an easy reporting system? I suspect that any report will be treated like many police departments treat a stereo being robbed from a car, they'll give a incident number but not much else.
PS: what the heck uses "chef" as a username? That is really getting common.
Interesting, well I guess folks using it should be just as careful as the rest of us. Someone with a 116.90.81.14 ip was really interested in it. Username "bernard" is also a new one on me.
I think these attackers just use wordlists for the most part. I had an SSH server log tens of thousands of attempts with the username ‘initech’ before I got fail2ban running and turned off password auth. Not sure there many people out there actually naming user accounts after the company from Office Space.
Would be nice if cloud providers automatically had a fence around your subnet with an ssh proxy that did this stuff already. Seems crazy that typically you open up ssh directly to everyone.
In my most recent setup I created two VMs, one with just 80/443 -> HAProxy open and a second with only openvpn open. It should be more common practice, and offered by default from more providers, but unfortunately for now, you still have to set it all up yourself:
I haven't done that for years, prefering instead to change ports to an uncommon one and even then that port is only opened upon port knocking. My logs are so much easier to parse. (These days in nftables instead of iptables.)
There actually is some security through obscurity, despite everyone loving to bandwagon otherwise.
You put a wall around your property. It kept the dilettantes out, which means you have free time for something else.
If there’s a buffer overflow attack against SSH then you have security through obscurity. In the meantime you have security and obscurity. Assuming you’re using known rsa keys to login remotely...
not sure if that's obscurity. changing the port means you have to scan the whole port range. port knocking gives you another 2-4 bytes of entropy. (a determined attacker will try all the port knocking permutations)
Seems like putting bars on the windows. You're taking a couple of well known steps to make things a little harder for an attacker.
So, does the author expect me to report all these IPs? Who would I send them to? Is there an easy reporting system? I suspect that any report will be treated like many police departments treat a stereo being robbed from a car, they'll give a incident number but not much else.
PS: what the heck uses "chef" as a username? That is really getting common.