Hi Andy,
Have you considered a multilevel approach with fail2ban? Something
like the link below increases the ban timeout for repeat offenders.
http://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
Cheers,
Roger
On 2 March 2018 at 11:11, Andy Smith <andy@???> wrote:
> Hi,
>
> The level of SSH scanning is getting ridiculous.
>
> Here's some stats on the number of Fail2Ban bans across all Xen
> Shell hosts in the last 7 days:
>
> # each ∎ represents a count of 46. total 4653
> 59.63.166.104 [ 2037] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (43.78%)
> 58.218.198.142 [ 998] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (21.45%)
> 59.63.166.105 [ 641] ∎∎∎∎∎∎∎∎∎∎∎∎∎ (13.78%)
> 58.218.198.146 [ 352] ∎∎∎∎∎∎∎ (7.57%)
> 58.218.198.161 [ 272] ∎∎∎∎∎ (5.85%)
> 59.63.188.36 [ 145] ∎∎∎ (3.12%)
> 192.99.138.37 [ 61] ∎ (1.31%)
> 103.99.0.188 [ 40] (0.86%)
> 218.65.30.40 [ 15] (0.32%)
> 202.104.147.26 [ 13] (0.28%)
> 42.7.26.15 [ 8] (0.17%)
> 163.172.229.252 [ 8] (0.17%)
> 42.7.26.91 [ 8] (0.17%)
> 198.98.57.188 [ 8] (0.17%)
> 58.242.83.26 [ 8] (0.17%)
> 58.242.83.27 [ 8] (0.17%)
> 182.100.67.82 [ 6] (0.13%)
> 217.99.228.158 [ 5] (0.11%)
> 218.65.30.25 [ 4] (0.09%)
> 117.50.14.83 [ 4] (0.09%)
> 46.148.21.32 [ 4] (0.09%)
> 178.62.213.66 [ 3] (0.06%)
> 116.99.255.111 [ 3] (0.06%)
> 165.124.176.146 [ 1] (0.02%)
> 101.226.196.136 [ 1] (0.02%)
>
> First three octets only:
>
> # each ∎ represents a count of 61. total 4653
> 59.63.166.0/24 [ 2678] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (57.55%)
> 58.218.198.0/24 [ 1622] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (34.86%)
> 59.63.188.0/24 [ 145] ∎∎ (3.12%)
> 192.99.138.0/24 [ 61] ∎ (1.31%)
> 103.99.0.0/24 [ 40] (0.86%)
> 218.65.30.0/24 [ 19] (0.41%)
> 42.7.26.0/24 [ 16] (0.34%)
> 58.242.83.0/24 [ 16] (0.34%)
> 202.104.147.0/24 [ 13] (0.28%)
> 163.172.229.0/24 [ 8] (0.17%)
> 198.98.57.0/24 [ 8] (0.17%)
> 182.100.67.0/24 [ 6] (0.13%)
> 217.99.228.0/24 [ 5] (0.11%)
> 46.148.21.0/24 [ 4] (0.09%)
> 117.50.14.0/24 [ 4] (0.09%)
> 116.99.255.0/24 [ 3] (0.06%)
> 178.62.213.0/24 [ 3] (0.06%)
> 165.124.176.0/24 [ 1] (0.02%)
> 101.226.196.0/24 [ 1] (0.02%)
>
> That is with Fail2Ban adding a 10 minute ban after 10 login
> failures. If there was no ban this would be 100s of thousands of
> login attempts instead of 4,653 bans.
>
> Yes I can send an abuse report to Chinanet's "Jiangxi telecom
> network operation support department". Yes I can just firewall it
> off. But that relies on periodic log file auditing.
>
> There is already an SSH listening on port 922 that is not subject to
> Fail2Ban. I would rather not have SSH on port 22 at all but in the
> past I have been told this would not be acceptable because some
> people are sometimes on networks where they can't connect to port
> 922. If that would be fine with you then no need to comment but it
> might be interesting to hear from anyone who would still find this a
> problem.
>
> What are the feelings about setting port 22 Xen Shell access to
> require SSH public key auth (while leaving 922 to allow password
> authentication as well)?
>
> Do those of you who've added SSH keys want an option to *require*
> SSH keys even on port 922?
>
> At the very least the Fail2Ban ban time is going to have to go up
> from 10 minutes to let's say 6 hours.
>
> Cheers,
> Andy
>
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting
>
> _______________________________________________
> announce mailing list
> announce@???
> https://lists.bitfolk.com/mailman/listinfo/announce
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
