Many failed authentications and bans from many different places?

Hey hello everyone :slight_smile:

Recently, I received a diagnosis message from yunohost saying:

[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in

Well first thanks a lot yunohost diagnosis for your super “right on the target” insight!! :slight_smile:

Indeed, checking the fail2ban logs, I see about 200 banning actions in the past two days. With a little script I tried to identify the origin countries of those IPs, and I was quite surprised to see a huge amount of different countries. I was expecting to see a similar origin, somehow.
A little output of the found country codes:

      8 NL
      8 AU
      6 KR
      6 ID
      5 TW
      6 FR
      4 UA
      4 IT
      4 IN
      4 GB
      4 CO
      3 VE
      3 UY
      3 PY
      3 PL
      3 JP
      3 ES
     35 US
      2 VN
      2 HU
      2 EU
      2 CA
      2 AR
     24 CN
      1 UZ
      1 TN
      1 RS
      1 RO
      1 MY
      1 HK
      1 DE
      1 CL
      1 BG
      1 BE
      1 BD
      1 AT
      1 AM
     16 ?
     14 RU

I was just wondering if anyone had similar things happening.
I guess it’d be wise to follow the yunohost diagnosis advice and change ssh port.

In fact I realized the attack is still ongoing.
I’m a bit confused and don’t really know what to do.
I modified the default ssh port, and when I do that fail2ban gets more silent for a while, but eventually after some minutes, I can see from the logs that attempts are restarting.

If anyone has some advise, or ideas about things to do, I would be really thankful :confused: :slight_smile:


Peut-être une piste ici …


Merci bin @ppr pour l’article, ce script a l’air bien pratique et je pense je vais l’utiliser.
Dans ce cas précis le problème c’est que chaque nouvelle tentative est faite avec une nouvelle adresse, donc ce script ne m’en protégera pas puisqu’il demande de savoir quelles adresses on veut bloquer.
Enfin merci quand-même, c’est bien utile comme ressource.

I also had this message when I put my port back to port 22.

I run Wireguard on my server, so I decided to close port 22 on my router. Now, when I want to connect to my server via ssh, I connect to wireguard first. Then I connect directly to my server.

This is an oblique answer, but is something you could do if you’re worried about your SSH security.

Hey @arkadi,
Thank you for your reply. For now the situation seem to have improved, disabling the possibility to connect via password is already a great improvement. But I’ll definitely try wireguard when I can, seems interesting as well.
Thanks for the advice :slight_smile:

1 Like