Recently, I received a diagnosis message from yunohost saying:
[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.
Well first thanks a lot yunohost diagnosis for your super “right on the target” insight!!
Indeed, checking the fail2ban logs, I see about 200 banning actions in the past two days. With a little script I tried to identify the origin countries of those IPs, and I was quite surprised to see a huge amount of different countries. I was expecting to see a similar origin, somehow.
A little output of the found country codes:
8 NL
8 AU
6 KR
6 ID
5 TW
6 FR
4 UA
4 IT
4 IN
4 GB
4 CO
3 VE
3 UY
3 PY
3 PL
3 JP
3 ES
35 US
2 VN
2 HU
2 EU
2 CA
2 AR
24 CN
1 UZ
1 TN
1 RS
1 RO
1 MY
1 HK
1 DE
1 CL
1 BG
1 BE
1 BD
1 AT
1 AM
16 ?
14 RU
I was just wondering if anyone had similar things happening.
I guess it’d be wise to follow the yunohost diagnosis advice and change ssh port.
In fact I realized the attack is still ongoing.
I’m a bit confused and don’t really know what to do.
I modified the default ssh port, and when I do that fail2ban gets more silent for a while, but eventually after some minutes, I can see from the logs that attempts are restarting.
If anyone has some advise, or ideas about things to do, I would be really thankful
I also had this message when I put my port back to port 22.
I run Wireguard on my server, so I decided to close port 22 on my router. Now, when I want to connect to my server via ssh, I connect to wireguard first. Then I connect directly to my server.
This is an oblique answer, but is something you could do if you’re worried about your SSH security.
Hey @arkadi,
Thank you for your reply. For now the situation seem to have improved, disabling the possibility to connect via password is already a great improvement. But I’ll definitely try wireguard when I can, seems interesting as well.
Thanks for the advice
