Websworld.org

"Eternally Experimental"
Personal test server consisting mostly of old junk.

Wall of shame: latest 5 SSH password attacks.

Remove boring stuff.

For about 20 years now, the logs of this little server have been flooded by brute force SSH password attacks. I don't always have an SSH key on me, so I refuse to disable password authentication just for some script kiddies. Instead, I installed a countermeasure named fail2ban. It temporarily bans an IP after 5 consecutive login failures. This needs to be a very low number, with the ban time as long as you can afford, to fend off attacks coming from many different IPs (botnets).It works so well, I decided to write a few scripts to show the results here for all to see. Note that the listed IP's most likely do not belong to the actual (human) attackers! Most of these IPs appear to be of machines that have been compromised themselves.

Machines that do get compromised in this way, probably have users named info, service, mysql, student, root, test etc... or ahmed, alan, albert, alberto, alex, alfred, ali, alice, allan, andi, andrew... (you get the idea) with guessable passwords. Anyone out of ideas to name their child, drop me a line and I'll send you some logs from before I installed fail2ban... :-)

UPDATE: Over the past decade, things have become a bit more grim and grown beyond the scr1pt k1dd13 realm, as these types of attacks are now commonly used to install Trojans for use in botnets. Besides obvious uses like sending spam or 'hacking' even more machines like yours, these botnets can be a powerful tool in destructive DoS attacks and such. Your machine may be actively participating in computer terrorism without you even knowing!

Please always use a non-guessable password that is long enough to not allow brute force either. You know the drill by now. Due to databases occasionally leaking, change them every now and then. Preferrably use a password manager so that you can set a different secure password for every site you create an account on, without having to memorize them all. I am personally a fan of Vivaldi's password (and notes) syncer across all my devices.

Less ... Show ... More
On 2024-02-23 03:59:27 177.45.64.2 177-45-64-2.user.ajato.com.br from Brazil received a ban.
On 2024-02-23 03:58:57 119.4.250.94 <no dns> from China received a ban.
On 2024-02-23 03:56:37 120.79.206.12 <no dns> from China received a ban.
On 2024-02-23 03:56:11 150.158.94.132 <no dns> from Belgium received a ban.
On 2024-02-23 03:54:45 167.172.182.54 ds.coffee from United Kingdom received a ban.

Wall of shame: Top attack bots this month:

121.229.24.138 <no dns> from Brazil  Received 93 bans.
183.238.13.188 <no dns> from China  Received 85 bans.
120.253.186.82 <no dns> from China  Received 61 bans.
103.154.184.109 dedi.legaccord.org from Belgium  Received 45 bans.
175.113.135.53 <no dns> from United Kingdom  Received 35 bans.
108.179.217.143 server.venerablelaw.com from China  Received 32 bans.
164.92.205.199 <no dns> from Russian Federation  Received 23 bans.
125.35.93.98 <no dns> from China  Received 22 bans.
68.178.164.198 198.164.178.68.host.secureserver.net from China  Received 20 bans.
75.119.144.68 vmi1137934.contaboserver.net from China  Received 17 bans.

XHTML