Comment by Bender

I too change my default port on all nodes except public SFTP servers. I also restrict the TCP SYN MSS, Window and TTL and allowed CIDR blocks for non public SFTP servers. It keeps most things very quiet. Quiet makes it easier to spot more serious and targeted attempts.

This is an attempt to see what fun I can have with the bots on public SFTP servers. I am also curious if I can crap-up their logs a bit, depending on what they log. It's also fun to get them stuck using OpenSSH rather than depending on netfilters tarpit which AFAIK is not available via nftables.

This poor bot for example is stuck in a loop and can't even try to authenticate because of something I put in the sshd_config a copy of which is available on the SFTP server. Legit SSH clients can attempt to authenticate however.

    srclimit_penalise: ipv4: new 128.199.x.x/24 deferred penalty of 9 seconds for penalty: connections without attempting authentication

    # since I cleared the logs this morning
    logread | grep -c "128.199"
    591