[LinuxBender]

This is not unique to Cloudflare, Level3 or any of the other networks I've seen mentioned in this thread. The entire internet scans all the common ports and this should be expected to continue indefinitely. If this is causing alerts from your logging, there are a few options:

- Implement a firewall on your instances.

- Implement port knocking for sshd.

- Move sshd to a non standard port to avoid the nmap/bot noise.

- Only log successful logins.

- Any combination of the above.

There are pros and cons to each item so you would have to decide which combination is the most appropriate and least friction for your organization. If leaving the port exposed consider enforcing key based authentication and disabling password authentication. For high risk accounts such as monitoring accounts that use passwordless unrestricted sudo, you can even restrict what networks the keys are valid from.

[jftuga]

https://github.com/jftuga/gofwd

I created gofwd, a cross-platform TCP port forwarder with Duo 2FA and Geographic IP integration. Its use case is to help protect services when using a VPN is not possible. While it's use cases are limited, it works great for me when I need to connect to my home network.

The overall elegance of this solution is that no additional software is needed. As long as you are within your predefined geo-ip location, have your phone, and know your hostname/ip address (and port number), then you will be able to access your system remotely.

[akira2501]

I've been happy with having my firewall count SSH connection attempts, and if you make too many attempts in too short a period of time, it just blacklists that IP for 24 hours.

[silisili]

My first 'defense' was just moving off of port 22. I had planned other things, but to be honest, the attempts went from hundreds a day to zero, so I never bothered doing more.

[bayindirh]

The first package I install on public facing servers is fail2ban.

After starting it, everything becomes much calmer. Nice thing is, fail2ban can protect much more than SSH.

[t0mas88]

I do the same, but only 10 minutes after 5 failed logins. That's enough for bots while not really getting in your way if it accidentally blocks the hotel you're in.

Combined with only allowing key based login, password is disabled.

[_moof]

I've recently added 2FA as well. Super easy to do.

[alias_neo]

I wrote a blog on how to do it a couple years back if anyone is interested in a "tutorial": https://2byt.es/post/totp/

It's for the Pi as that's the target audience but it should apply generally for OpenSSH.

There's also a sister post about improving your "first factor" for those still using passwords: https://2byt.es/post/totp2/

[airocker]

My experience was similar. I opened a public SSH once and there were many unsuccessful login attempts. The way we resolved it was by installing VPN and closing the IP for public access.

[twodai]

My favorite is to implement a tarpit while moving the ssh port.

[rualca]

> My favorite is to implement a tarpit while moving the ssh port.

For those who, like me, are unfamiliar with the concept of a SSH tarpit, it's a technique consisting of inserting delays into SSH connection attempts.

Old HN discussion on Endlessh:

https://news.ycombinator.com/item?id=24491453

[hda111]

Isn’t this easily detectable for any malicious script? Just a small timeout and try the next port.

[themulticaster]

Does that mean that you automatically block IPs that try to login on port 22 (since they are obviously malicious/port scannners)? If yes, is there any specialized daemon for that or are you using firewall rules? Or are you running a SSH honeypot on port 22?

[c0wb0yc0d3r]

The post is referring to this: https://github.com/skeeto/endlessh

I'm guessing that the person you replied to is referring to the same.

[ben_bai]

A tarpit is a technique to waste your opponents time and network sockets. Usually by accepting the connection but only sending or receiving data at like 1byte/s.

[rollcat]

Personally, I just whitelist SSH access on the firewall (UFW and/or AWS SecGrps). Everyone on the admin team has a static residential address. On the road, we use ZeroTier.

[vgb2k18]

Adding: [-] whitelist allowed ip's for port 22. Requires static ip's client-side obviously [-] fail2ban if static ip's are not available.

[codexon]

> - Move sshd to a non standard port to avoid the nmap/bot noise.

There are scanners like shodan that will scan every single port you have now so moving it to a non-standard port doesn't stop all the attackers.

[LinuxBender]

Shodan scans a handful of common ports [1] but you are right, a targeted attack will not be stopped by moving ports. Along the lines of what jms703 mentioned, moving ports just removes the noise from the bots so you can have better alerting on real attacks and not suffer from alert fatigue.

[1] - https://en.wikipedia.org/wiki/Shodan_(website)

[jms703]

The parent post didn’t say to do this to stop attackers. They said to do this to reduce alerts in the logs.

[seized]

Or Fail2Ban. I have mine setup so that it does an API call to my OPNSense firewall. A few wrong logins to my self hosted things (SSH included) and that IP is permanently blocked from everything.

[hacker_newz]

If you expose sshd to the internet in the first place you are doing something wrong.