Comment by flamesofphx

8 hours ago

I get rid of my bot attempts.. by doing this:

1. Make all port not respond (Stealth in the firewall), unless they are public like http..

2. Change the SSH port # (over 8192 also)..

3. Setup port knocking watchdog so they have to knock first in a specific order on three ports before being allow to connect to real port.

4. Setup fail2ban. Including if someone pings the knocking ports (in the incorrect order) or real ssh (Without knocking first) then after a couple of times, add their ip to fail2ban list for 48hours..

You get rid of 99.98% of the lookers instantly, by just doing step 2...

This assume you have control over the server, there are several script online that help you provision something like that with ansible.. (Most of them helper related to configuring fail2ban.

1 comment

flamesofphx

Bender 8 hours ago

I too change my default port on all nodes except public SFTP servers. I also restrict the TCP SYN MSS, Window and TTL and allowed CIDR blocks for non public SFTP servers. It keeps most things very quiet. Quiet makes it easier to spot more serious and targeted attempts.

This is an attempt to see what fun I can have with the bots on public SFTP servers. I am also curious if I can crap-up their logs a bit, depending on what they log. It's also fun to get them stuck using OpenSSH rather than depending on netfilters tarpit which AFAIK is not available via nftables.

This poor bot for example is stuck in a loop and can't even try to authenticate because of something I put in the sshd_config a copy of which is available on the SFTP server. Legit SSH clients can attempt to authenticate however.

    srclimit_penalise: ipv4: new 128.199.x.x/24 deferred penalty of 9 seconds for penalty: connections without attempting authentication

    # since I cleared the logs this morning
    logread | grep -c "128.199"
    591