[speedgoose]

By the way, unless you run a honey pot, you should probably only allow a few IP ranges for SSH in your firewall.

[nousermane]

Yep. And paranoid folk, like myself, may consider adding a set of iptables rules to deny-list IPs originating this sort of junk traffic, wholesale:

  ipset create n hash:net

  -A INPUT -m set --match-set n src -j DROP
  -A INPUT -p tcp -m multiport -j n \
    --dports 22,23,25,445,1433,3389,8080
  -A n -j SET --add-set n src
  -A n -j DROP

[ehPReth]

Question to you and the broader HN...

Is there a way to allowlist whole ASNs? I know you can't do it directly with like iptables/ebtables/etc but is there a daemon for that that'll watch for changes to them? I'd like to allowlist my cellular provider and my home ISP for example but they have a lot of ranges and sometimes introduce new prefixes

[speedgoose]

I think it would be more convenient to use a VPN like tailscale, or a bastion like teleport.

[cpach]

Even better: Put the SSH port behind WireGuard/Tailscale.

[RunningDroid]

That's basically what I do, nftables is configured to drop most* incoming traffic unless it's coming from wg0.

*: with the exception of wireguard's ports, transmission's non-admin ports, etc