Ask HN: Do you have any SSH bot scripts?
6 hours ago
I do not have any SSH bot scripts and would like to play around with the default OpenSSH_10.0p2 capabilities to slow bots to a crawl or see if I can get them stuck rather than playing whack-a-mole.
To prove I temporarily control the IP in question one can SFTP as mirror@104.200.16.195 on port 22 with no password and there is a __README__.txt. Feel free to brute force or crash sshd.
If you have scripts that work fine I would love if you SFTP them to me. If your scripts get stuck I will show my work being done to slow bots via SFTP. Beyond that of what OpenSSH 10 is already doing to deprecate fail2ban.
The goal is to bend the default applications and OS in a way most should be able to without installing anything.
I get rid of my bot attempts.. by doing this:
1. Make all port not respond (Stealth in the firewall), unless they are public like http..
2. Change the SSH port # (over 8192 also)..
3. Setup port knocking watchdog so they have to knock first in a specific order on three ports before being allow to connect to real port.
4. Setup fail2ban. Including if someone pings the knocking ports (in the incorrect order) or real ssh (Without knocking first) then after a couple of times, add their ip to fail2ban list for 48hours..
You get rid of 99.98% of the lookers instantly, by just doing step 2...
This assume you have control over the server, there are several script online that help you provision something like that with ansible.. (Most of them helper related to configuring fail2ban.
I too change my default port on all nodes except public SFTP servers. I also restrict the TCP SYN MSS, Window and TTL and allowed CIDR blocks for non public SFTP servers. It keeps most things very quiet. Quiet makes it easier to spot more serious and targeted attempts.
This is an attempt to see what fun I can have with the bots on public SFTP servers. I am also curious if I can crap-up their logs a bit, depending on what they log. It's also fun to get them stuck using OpenSSH rather than depending on netfilters tarpit which AFAIK is not available via nftables.
This poor bot for example is stuck in a loop and can't even try to authenticate because of something I put in the sshd_config a copy of which is available on the SFTP server. Legit SSH clients can attempt to authenticate however.