Hey Tobi Not seeing what you are seeing, but I can really recommend Fail2Ban if you are not using it already.
It's as simple as: *** snip 8< *** # Install fail2ban apt install fail2ban # Set log level to VERBOSE in sshd daemon to catch failed logins for existing accounts as well cat >> /etc/ssh/sshd_config <<EOF LogLevel VERBOSE EOF systemctl restart sshd *** >8 snap *** Failed attempts will now be logged and source IPs will be banned after several failed attempts. Cheers, Manuel -- Manuel Schweizer cloudscale.ch AG Venusstrasse 29 CH-8050 Zürich Fon: +41 44 55 222 55 Fax: +41 44 55 222 56 Web: https://www.cloudscale.ch > On 2 Jul 2018, at 11:42, Jeroen Massar <jer...@massar.ch> wrote: > > On 2018-07-02 11:25, Tobias Oetiker wrote: >> Good Morning >> >> are you running an ssh daemon on non standard ports to avoid some of the >> drive-by-scanning ? we have been doing that for quite some time now with >> great reduction of scanning noise ... > > I suggest running SSH always behind white-list only firewalls. > > That, and otherwise use a VPN to get in to a fixed-IP so that one is in > the whitelist. > > Providing an 'open over IPv6 only', or "SSH via Tor" is also a > reasonable technique there. > > > If you have to run a jumpbox style host: For SSH, it is also heavily > suggested to disable any form of password-auth, that way, only public > key authentication is accepted and guess what the scanner scripts do not > support as they do not have a key which thus makes guessing impossible... > > for OpenSSH: > UsePAM no > PasswordAuthentication no > ChallengeResponseAuthentication no > > Do have working pubkeys on the box first :) > > >> since yesterday this has changed >> ... we are getting a lot of connection attempts ... >> >> are you seeing this too ? is someone actively looking for ssh across the >> whole port range or is this 'personal' ? > > There are more and more "Internet scanning" services, especially since > people realized the amount of data that Shodan shows, every company is > having their own scanning boxes. > > Next to that of course, there are thousands of kiddies running the > default scripts just trying random username/passwords. > > Whitelisting is the best trick in the toolchest. > > Greets, > Jeroen > > > _______________________________________________ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog