[03:00] <lotuspsychje> good morning
[14:15] <leftyfb> man, there's been a HUGE uptick in ssh attacks on my servers. All of which run on non-standard ports and don't allow password auth. 
[14:19] <pragmaticenigma> leftyfb, how do you monitor your ssh service?
[14:19] <leftyfb> fail2ban
[14:19] <leftyfb> I get emails for every block
[14:19] <pragmaticenigma> oh... if I don't have that, do you have a recommendation for a log file to monitor?
[14:19] <leftyfb> the last few nights I wake up to hundreds of emails
[14:20] <leftyfb> fail2ban already has built-in rules for ssh. You should only have to enable ssh
[14:20] <pragmaticenigma> I don't have fail2ban... nor emails setup
[14:21] <leftyfb> sudo apt install fail2ban
[14:21] <leftyfb> you could install something like ssmtp for outbound emails
[14:22] <pragmaticenigma> `tail -fn 500 /var/log/auth.log` seems to be enough for what I need at the moment
[14:22] <leftyfb> fail2ban automatically blocks ip's if there's too many failed logins
[14:23] <pragmaticenigma> I'm just trying to see if I have a concern... thanks for the suggestion. I'm just going to close the port on the firewall for now
[14:23] <leftyfb> I also have it monitoring email and web logs
[14:24] <leftyfb> I wrote some custom plugins specifically for wordpress looking for attempts at vulnerabilities 
[14:24] <leftyfb> also failed logins on the wordpress admin page
[14:29] <pragmaticenigma> I haven't seen this aggressive of attempts to ssh since before I switched to using non-standard report... wonder what's going on
[15:46] <pragmaticenigma> there... that should reduce my unwanted activity... only IPs from my region are allowed... not a perfect solution, but cuts out a lot of the noise
[15:47] <pragmaticenigma> now to look into other tools
[15:57] <oerheks> Suricata ?
[16:03] <pragmaticenigma> I'll probably go the fail2ban route like lefty
[16:05] <oerheks> yes, that should be standard nowadays.
[16:05] <oerheks> Suricata comes in mind after they break in..
[16:06] <leftyfb> "after they break in" = wipe machine and start rebuild/restore
[16:06] <oerheks> with root login, sure.
[16:07] <leftyfb> any login
[16:07] <leftyfb> PEV's exist
[16:23] <pragmaticenigma> indeed... if someone has gotten into the system, time to wipe and start over
[18:47] <arraybolt3> this makes me curious...
[18:49] <arraybolt3> huh, well that's alarming, I see the SSH server I'm on has plenty of attacks against it too
[18:51] <arraybolt3> people trying to log in as root, telecomadmin, test, admin1, webadmin, and some weird ones like yvonne and thomnode (? no one named either of those names uses our server)
[19:02] <leftyfb> "plenty of attacks" is normal
[19:03] <leftyfb> but there's been a significant uptick
[19:04] <pragmaticenigma> yep... big up tick... especially when running on non-standard port being very intriguing
[19:22] <leftyfb> I changed the port on most of my servers and cut down the reports significantly 
[19:23] <leftyfb> until the idiots update their scripts or they have port scanners and ping my new port which feeds to their ssh attack script
[19:23] <leftyfb> usually they don't put that much effort into it though
[19:23] <leftyfb> March 10th looks to be the craziest for some reason
[19:25] <pragmaticenigma> more like... once tried... why does it keep trying to get in? script kiddie no doubt
[19:26] <pragmaticenigma> possible that this one of those a hack-as-a-service outfits ?
[19:26] <leftyfb> it's trying different user/pass combinations
[19:27] <leftyfb> https://paste.ubuntu.com/p/4CKtkGRDJt/
[19:27] <leftyfb> these are the number of attempts per day for this month
[19:27] <pragmaticenigma> probably coming from rainbow tables