Websworld.org

"Eternally Experimental"
Personal test server consisting mostly of old junk.

Wall of shame: latest 20 SSH password attacks.

Remove boring stuff.

For about 20 years now, the logs of this little server have been flooded by brute force SSH password attacks. I don't always have an SSH key on me, so I refuse to disable password authentication just for some script kiddies. Instead, I installed a countermeasure named fail2ban. It temporarily bans an IP after 5 consecutive login failures. This needs to be a very low number, with the ban time as long as you can afford, to fend off attacks coming from many different IPs (botnets).It works so well, I decided to write a few scripts to show the results here for all to see. Note that the listed IP's most likely do not belong to the actual (human) attackers! Most of these IPs appear to be of machines that have been compromised themselves.

Machines that do get compromised in this way, probably have users named info, service, mysql, student, root, test etc... or ahmed, alan, albert, alberto, alex, alfred, ali, alice, allan, andi, andrew... (you get the idea) with guessable passwords. Anyone out of ideas to name their child, drop me a line and I'll send you some logs from before I installed fail2ban... :-)

UPDATE: Over the past decade, things have become a bit more grim and grown beyond the scr1pt k1dd13 realm, as these types of attacks are now commonly used to install Trojans for use in botnets. Besides obvious uses like sending spam or 'hacking' even more machines like yours, these botnets can be a powerful tool in destructive DoS attacks and such. Your machine may be actively participating in computer terrorism without you even knowing!

Please always use a non-guessable password that is long enough to not allow brute force either. You know the drill by now. Due to databases occasionally leaking, change them every now and then. Preferrably use a password manager so that you can set a different secure password for every site you create an account on, without having to memorize them all. I am personally a fan of Vivaldi's password (and notes) syncer across all my devices.

Less ... Show ... More
On 2024-03-08 08:58:37 43.155.156.181 <no dns> from Japan received a ban.
On 2024-03-08 08:56:49 177.221.97.6 <no dns> from Brazil received a ban.
On 2024-03-08 08:56:38 186.233.80.61 <no dns> from Brazil received a ban.
On 2024-03-08 08:27:21 43.136.100.65 <no dns> from Japan received a ban.
On 2024-03-08 08:11:11 117.33.252.91 <no dns> from China received a ban.
On 2024-03-08 08:09:01 175.6.209.225 <no dns> from China received a ban.
On 2024-03-08 08:05:33 45.249.245.88 <no dns> from Hong Kong received a ban.
On 2024-03-08 08:05:25 179.99.212.180 <no dns> from Brazil received a ban.
On 2024-03-08 08:05:18 120.78.180.200 <no dns> from China received a ban.
On 2024-03-08 08:04:41 101.43.78.150 <no dns> from China received a ban.
On 2024-03-08 08:03:27 103.16.202.187 <no dns> from India received a ban.
On 2024-03-08 08:02:39 43.134.186.17 <no dns> from Japan received a ban.
On 2024-03-08 08:02:35 20.199.12.7 <no dns> from United States received a ban.
On 2024-03-08 08:02:34 137.220.228.87 <no dns> from United States received a ban.
On 2024-03-08 08:02:24 170.106.65.35 <no dns> from China received a ban.
On 2024-03-08 08:02:17 85.111.16.189 <no dns> from Turkey received a ban.
On 2024-03-08 08:02:00 129.226.83.30 <no dns> from United States received a ban.
On 2024-03-08 08:01:53 103.132.199.115 <no dns> from <unknown> received a ban.
On 2024-03-08 08:01:49 101.32.141.81 <no dns> from China received a ban.
On 2024-03-08 08:01:45 124.156.205.16 <no dns> from China received a ban.

Wall of shame: Top attack bots this month:

125.35.93.98 <no dns> from Japan  Received 140 bans.
162.215.216.231 <no dns> from Brazil  Received 59 bans.
115.204.226.136 <no dns> from Brazil  Received 42 bans.
103.154.184.109 dedi.legaccord.org from Japan  Received 29 bans.
164.92.205.199 <no dns> from China  Received 23 bans.
1.214.214.114 server.venerablelaw.com from China  Received 22 bans.
45.11.94.64 <no dns> from Hong Kong  Received 20 bans.
103.179.238.26 <no dns> from Brazil  Received 19 bans.
43.163.202.88 198.164.178.68.host.secureserver.net from China  Received 17 bans.
75.119.144.68 vmi1137934.contaboserver.net from China  Received 16 bans.

XHTML