A system running SSH Blacklisting can quickly devolve into a game of whack a mole as the attacking IP addresses will frequently change. However, to reduce noise in your security logging, some blacklisting of SSH attackers can be another layer in your defense.
Fail2ban is a script that detects brute force SSH attacks against an SSH server and then uses IP tables or other firewall to block the offending IP address. This reduces noise in your logs from many thousands of failed SSH logins. The site www.blocklist.de compiles lists of detected attacking IP addresses from fail2ban reports across the Internet. Using the list that contains all ssh attacks detected for the last 48 hours, we produced charts showing the locations and network blocks from where the attacking IP addresses originated. Note - these systems could be the source IP address of an active attacker but are more likely compromised hosts that had poor ssh passwords. The hosts get compromised by an SSH bot script then becomes an active part of the botnet attempting to spread further through simple ssh password guessing. With the blacklist of ssh attackers, we have put together visualizations of the source addresses. Similar to what we did for the Tor Exit Nodes.
Tips for Securing Your SSH Server
- Move your ssh daemon to another port such as 2222
- Using a high port is a layer of security as it avoids the automated noise that hits 22 every hour of every day. With cleaner monitoring and logs, any attempts you see against your high port are more likely to be an actual targeted attack.
- Ensure your passwords are complex and not dictionary-based.
- Easy passwords are easy to guess. Password lists are readily available to attackers. These lists contain thousands of common passwords, including common words with numbers or exclamation marks at the end. Make it hard to guess, make it unique.
- Use OSSEC or another monitoring tool
- Install OSSEC or another log monitoring Host-based Intrusion Detection System - HIDS. Get alerted if anyone does hit your SSH server on that high port.
These charts are updated daily with detected attacks from the last 48 hours.
SSH Source Attackers By Country
The locations and net blocks are more an indication of where the compromised hosts are located rather than where the attackers (SSH Bot Masters) are located.SSH Brute Force Attacks By ASN - Internet Service Provider (Top 20)
SSH Brute Force Attacks by Country (Top 20)
Discover
Vulnerability Scans and Network Intelligence
Use CasesWebsite Recon
Fingerprint Web App Technologies in Bulk
Whatweb/WappalyzerGet Access
28 vulnerability scanners and network tools
Membership