Journal damn_registrars's Journal: Someone got new scripts for Christmas? 3
We noticed that our internet connectivity hasn't been great at home lately. I didn't have a lot of time to tackle this right away so I started with the usual song and dance of resetting the modem and the router. This brought some relief and then it got worse again.
Then today I checked the auth.log on the RPi that runs as our webserver / gateway. In the last 6 days, we've seen at least 23,047 unique attempts to log in to our server as root from across the internet. This of course excludes other attempts made on other accounts that we don't allow to access our system from the outside world (people may call me crazy but I'm not enough of a maniac to allow remote access as root).
What I find interesting is that we had a very quiet 2022 up until right around Christmas, then all of a sudden we're getting hammered from all over the world.
Quick sample of IP addresses attempting to get in:
Then today I checked the auth.log on the RPi that runs as our webserver / gateway. In the last 6 days, we've seen at least 23,047 unique attempts to log in to our server as root from across the internet. This of course excludes other attempts made on other accounts that we don't allow to access our system from the outside world (people may call me crazy but I'm not enough of a maniac to allow remote access as root).
What I find interesting is that we had a very quiet 2022 up until right around Christmas, then all of a sudden we're getting hammered from all over the world.
Quick sample of IP addresses attempting to get in:
- 61.177.173.27 - China
- 157.245.40.103 - USA
- 79.10.178.226 - Italy
- 159.89.19.21 - USA
- 209.45.73.18 - Peru
- 143.198.94.205 - USA
- 146.190.46.226 - USA
- 128.199.141.33 - USA
- 43.153.89.150 - Japan
- 190.104.25.217 - Bolivia
And of course those don't indicate that the person who is running these scripts is actually in those countries; I suspect more likely it means these addresses belong to compromised systems in those countries that are running the scripts for amateur hackers in other countries.
I finally bit the bullet and installed fail2ban. Hopefully this locks out a few of these idiots, for a while at least.
Thought you'd have done that sooner (Score:2)
Re: (Score:2)
Like I'm pretty sure I was the one to tell you about fail2ban back when we worked together and it was still new.
What did we work together on?
Regardless, yes I should have done it sooner. I used to find the hack attempts amusing, but now they're bordering on dDOS on my system so I needed to take action. They're so prevalent that rebooting my cable modem - which in my case results in a new IP address every single time - doesn't make them go away any more as someone finds my IP address and starts on it again.
fail2ban (Score:2)
Yep, the logs from my 2 servers are filled to the brim with fail2ban entries like that, denying connections from all over the world, thousands per day.
My home router logs are also filled with shit like this (IPs redacted):
[DoS Attack: TCP/UDP Echo] from source: xx.xxx.xx.xxx, port 42422, Saturday, December 31, 2022 07:58:22
[DoS Attack: SYN/ACK Scan] from source: xx.xxx.xxx.xx, port 443, Saturday, December 31, 2022 07:57:26
I'm tempted to add/buy some sort of additional firewall appliance but I haven't had ti