Ummm china wtf are you doing?
Leave any server running for .0002s and you will find a chink trying to accessThat's why I firewall any connection except from whitelisted ips
What I'd like to know is how quickly a single machine can scan a server for vulnerabilities/open access. Up to 4.3 billion ipv4 addresses, assuming it takes 1 second to scan each one it would still take you over 100 years to scan all of them. Anyone know how these bots work in practice?
>>101390276I'm using fail2ban as I need to access it from random places sometimes
>>101390252>FEDora>Is surprised when China tracks themYou deserve this
PRC has most sophisticated and largest cyber operations in the world. This is all automated. They don't even assign agents to deploy the exploits. You get rekt automatically.
>>101390296They already have the compute infrastructure to monitor 1.4 billion people in realtime they simply put less attention on those who toe the line and redeploy it to foreign addresses. This is what the social credit score is used for.
>change the ssh port to a random high number>chinks trying to connect stopprc defeated
>>101390252>Received disconnect from 47.52.198.243 port 51076.11: Bye Bye [preauth]>Bye Bye [preauth]>Bye Bye
>>101390296you can scan addresses in parallel maintain 100 concurrent connections and it will only take you a year
>>101390296the only pragmatic way it's possible is to reduce drastically the universe of the IPs to scan, which means the chinese have secretly introduced a worm in the distros to connect to heir servers, thus getting instantly the knowledge IPs to scan .
>>101390252putting ssh (or anything) behind wireguard defeats the chink/ruskie
>>101390380>PRC has most sophisticated and largest cyber operations in the worldlmao. never happened. they are literally script kiddy level attacks that are extremely amateur.>>101390390>They already have the compute infrastructure to monitor 1.4 billion peoplethey don't. their systems are extremely fragmented. stop believing chink propaganda.
>>101390704the chinks scan known IP ranges for vulnerable VPS/servers of known ISPs, telcos etc. ching chong, xiang lee woo.
>>101390307bloat, just use an auth key instead of password and voila
Russia getting in on the action
>>101390252first time opening a network to the world and seeing just how bad it is?
>>101390780Different anon, I don‘t use fail2 ban myself, but I can argue using auth key alone doesn‘t prevent clients trying to exploit sshd. Fail2ban blocks them in the client firewall.
I use a simple, custom geoip script to block accessif I'm counting correctly, in this random sample, there's1 singapore ip1 russia ip1 japan ip2 india ips2 vietnam ips2 china ips5 usa ips
>>101390995dangerously based chad. it's the best way to filter 99% of the fucking shit.
>>101390995>>101391086>>101390995>geoip script tothat just mean you indiscriminately block access to genuine people who want to see your website
>>101391252no, dummythis is an SSH thready'know, the program that adds remote access to your pceven if it was a site, if way too many ips from the same country show errant behavior then just block them all
>>101391252> no seriously! i am this fucking retarded!fuck off, retard.
>>101391252And mobile providers. Some Verizon LTE connections will geolocate to Canada, even with commercial databases.
>>101390995>5 usa ipsUSA! USA!
>>101390995Pretty cool, how is it implemented? Do you have a geoip database?
Just moved the ssh port to some higher one and never saw anyone trying to connect to it again
>>101390995forever or for how much time?
>>101392489kinda, I just use "geoiplookup" command to convert an ip into a countryuse it in a script to check if the country is the one I set or if the ip is localand then I use "etc hosts allow" to block the connectionsthis idea isn't mine>>101392539I'm running mine on a high port too (60k+) and yet I still receive around 1k connections a day>>101392829it's not a ban, it just refuses requests from outside my countryyeah, forever I guess
>>101392539I'm 2222 and I get a fucking shitton
>>101390296using zmap you can scan the entire IPv4 space in under 45 minutes if you have gigabit Ethernet
>>101390380The PRC operates within the bounds the US CIA allows. The CIA knows every single thing these amateurs are doing and allows them to access unimportant targets and honeypots to lull them into a false sense of superiority. In actuality, the US CIA has tools that can hack into and access the most secure of China's infrastructure. Every single communication made in Asia and Europe is tracked, and China knows this, and China is powerless to do anything about it.
>>101393185this is the single most retarded cope I have ever seen
>>101390319>>FEDoraNew level of schizo unlocked
>>101390276how do i block chinese ips from accessing my server? i'm on debian 12, i have nginx and a cloudflare tunnel
>>101390399i did this and it doesn't work
>>101394006iptables
>>101394006ufw
>>101394006iptables, fail2ban, moving your SSH port to a non-standard one (no, not 222, 2222 or 2024 either)also, enforce public key authentication (us a strong curve like Curve448 if your SSH daemon supports it. If not, use Curve25519) and completely disable password authentication
Just use port knocking
>>101390252They're likely going to test for this new OpenSSH vuln.
>>101394326The openssh vuln is the biggest nothingburger of lal time. It theoretically takes weeks to exploit on a x64 system with ASLR, and no test has actually been carried out proving it's possible.
>>101394311I'm 2222 what's wrong with that?
>>101390296they probably only scan ranges associated with certain countries
>>101394372it's literally 22 twiceand it's a low numberatleast try 22222
just harden your ssh at ssh-audit.com and most of the bots wont be able to negotiate as they are running old out of date python with shitty old ssh libraries.If you wanna fuck with them add a really long VersionAddendum in sshd_config after testing locally that your client can handle it. 200+ characters is enough to get most bots stuck.
>>101390252Just rangeban China, Russia and other third-world shitholes and put SSH on some random high port (ideally above 10000). putting it behind VPN also helps.
>>101394563I would just put some high random number. They could also be trying these easy to remember numbers.
>>101394372it's another commonly used port, I change mine to a randomly generated number between 10240 and 65536 every month or so.>>101394563that's not much better
>>101390307Just use wireguard
>>101394710>>101390715I though everybody did this, why would you just open your SSH to the world? It's not like you want randoms connecting to it
>>101394710>>101394826is that pay2use?
>>101394875No, it's mostly GPL I think. It's also just a VPN, I don't see why you couldn't use OpenVPN instead, but I'm not a cybersecurity autist.I like to set up all my stuff on a vlan.
>>101394826I need "all hell went loose" kind of remote. OpenVPN is a transport layer that can go offline, any VPN is, for that matter. I need a backup remote port for my infra that I visit maybe few times a year, physically.
>>101395147Sshd can go down too fucktardAnyways I said it before and I'll say it again. Just use port knocking.
>>101395211>Just use port knocking.You can't just use that. It requires thinking, thinking is hard.
Chinks always try it break into things
>>101390276>>101390252Russia loves to do it, too.My grandpa used to have an old machine in the early 2000s that he had set up with an absurdly weak password and after 10ish seconds a script would announce (using the wall command) that the computer was "very tired" and was going to take a nap before rebooting.
>>101394826Because you can't break my SSH key. It makes no sense to worry about autistic additional security when SSH keys are essentially unbreakable.My logs look like OP's every day and I just ignore it. They never get in.
>>101395321Yup, this is just the last six hours of failed logins.
>>101395860I mean this
do retards here really expose ssh?use authenticated hidden service and you will get zero pings
>>101390869fail2ban doesn't even work for authkey anyway, it's only useful for password based authentication. with an authkey, your china hackermen can't even try to brute-force any password since they don't even have the key, so it's already game over for them before they even try. so basically if you keep using password + fail2ban for SSH you are just lowering security, making your server more prone to attacks and letting a third party modifying your iptables and just polluting logs for no reason. btw i'm speaking for SSH only, because fail2ban can be useful for other services like nginx, apache etc.
>>101395964>use authenticated hidden service and you will get zero pings zero pings but a 3 seconds latency between each inputs lol
>>101390296you can port scan the entire ipv4 range in about 20 minutes. then collect all the IPs with port 22 opened and test ssh vulnerabilities on all of them
>>101395860kek
>>101390390>China built computer infrastructure that actually works (First lie) and exceeds the West (Second lie)You're not very bright, are you? You wouldn't just go and tell lies on the internet, would you?
HE DOESN'T BLOCK ALL CHINA IPSNGMI
>>101393674He’s not coping, but he’s ascribing capability to the CIA which comes from the NSA.Also never sleep on Russia, those guys are like a drunken hobo who can wake up and complete his physics PhD anytime he wants.
>>101397850>not datamining the chinksnegmi
>>101396369>but a 3 seconds latency between each inputs lolabout 100ms for meand implying ssh isnt aleady slow due to bloatcryption
>have multiple exposed ssh servers on port 22>thousands of failed login attempts every day>don't give a shit because I have password auth disabled and patch my shit regularlyretards losing their minds over low effort automated scans and wasting their time trying to dodge/block them is so funny to me
>>101398255>be me>run ssh on port 22 with default configuration>use a long password>install fail2banThat's all you need to do, key authentication is for pussies, I don't understand what securityniggers think the problem is with password auth.It takes 5 seconds before sshd responds with a password and you're banned after 5-10 tries. Chinese bot farms can't even crack a 16-character password when they're computing sha256 hashes at millions per minute. How are they going to get into my linux box?
>>101398322>>install fail2bannot needed if you don't use password auth since pubkey auth cannot be bruteforcedand if your password is long and randomly generated, you're probably not going to memorize it so the only advantage of password auth is lost, might as well just use a key
>>101398406>and if your password is long and randomly generated, you're probably not going to memorize itIt's not randomly generated. I remember mnemonics and am capable of creating variations that are sufficiently distinct from each other. I have passwords in my head that are up to 45 characters long.
>>101398733>typing a 45 character password every time you need to login
>>101398746What's the problem? It takes 10 seconds.
>>101398776using a private key takes 0 seconds
>>101398781It's a figure of speech. Typing a 45-character password you memorized should only take about 2 seconds.
>>101398781private key with no password can be stolen by info stealerthen you're right back to needing a long password
>>101398781Also think of all the time you're wasting setting up a private key.>10 minutes of typing commands and editing config filesvs>passwd
>>101398812>10 seconds running an openssh command to generate a key and 30 seconds to add it to authorized_keys and disable password auth>vs 5 hours changing your ssh port and adjusting your firewall accordingly, installing and setting up fail2ban, setting up geoip blocks, and whatever other cope you come up with because deep down you know your password auth is not secure
>>101398837>installing and setting up fail2banapt install fail2ban
copy-ssh-id. doneif I where to open an ssh port externally I'd do it on some random port above 60000 so it would take a few seconds before the walk found it.
>>101390252Today is a slow day.On a good day, chang can put out 600 unsuccessful attacks/30min.
i rangebanned entire china, taiwan, russia and india because of this shit
>>101399008What is that frontend called? It looks epic.
>>101394006Zerotier vpn is free
>>101399063It's actually a dashboard built using grafana.The various widgets simply display the results of queries against the database table where the failed attacks are logged.The database is populated by a daemon which parses the live system log.
>>101399168Thats cool, I've seen some pretty sweet Grafana dashboards.
>>101394594Just do this ^^^then configure rsyslog to filter out the rest of the noise that remains. [SOLVED]
>>101390252This is why I geoblock entire regions from connecting to my servers. China, Russia, India, Africa, the entire Middle East, Israel, Argentina, et cetera.
>>101391252>that just mean you indiscriminately block access to genuine people who want to see your websiteFuck them, they shouldn't live in third world shit holes full of box pingers and street shitting rapists.
anons in this thread talking about how hard it is to scan the entire ipv4 internet probably don't know this existshttps://github.com/robertdavidgraham/masscan
>>101390276Doesn't every router already do this by default?
Can someone explain what's up with that NL5xU... username. Both >>101390252 and >>101395909 have it.
I have no idea what I'm looking at. What do I need to read or study to understand what is going on?
Why not: `iptables -A INPUT -p tcp --dport 22 -s Your.I.P.Address -j ACCEPT` and forget about it?
>>101399935It's probably the same person.
>>101399858masscan is easy to block as it does not set mss.-A PREROUTING -d ${your_wan_ip}/32 -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 1220:1460 -j DROPtry it. also stops hping3 floods.
-A PREROUTING -d ${your_wan_ip}/32 -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 1220:1460 -j DROP
>>101399987china men are trying to invade op's anus
>>101398322>key authentication is for pussiesA 128 bit key is MILES ahead of regular passwords, and using Curve448 you get 224 bits.but yeah, let's keep using passwords instead of a much more secure alternative.
>>101390252this board is full of college kids and illiterate tech people. shit sucks
>>101401660and if you need to frequently ssh into your server from different computers when traveling?
>>101390276>I firewallFinally someone with half a brain on this accursed website. T'was about time.
>>101390307>making your system even more exploitable by using this piece of shitlol lmaoyou can do the same in pf literally with one line
>>101402052It's literally just a script that blocks IPs if they make too many requests to configurable ports.
>>101402065a script that parses logs and has been vulnerable in the pastit's completely stupid and pointless
>>101390252Believe it or not, but it's called 'advertisement'.What a scummy culture.
Alibaba really wants a partnership with you.
>>101402113>>101402149>/chinkshit general/ wants to know your location.
>>101390296you don't have to wait for a scan to return before sending out the next probe.also, rent VPSes in 10 or so datacenters across the world and you can now scan the entire internet in a matter of an hour
apt install fail2banI've actually had a break in a production server due to a weak password form this shit. The thing just mined bitcorns but it was a PITA to remove.
>>101396310>it's only useful for password based authentication.wrong. Still works with private keys and password login disabled in sshd_config
>>101390252i hacking the box sarsi ping the ssh
>>101402606>Still works with private keys if you capture failed attempts from someone trying to bruteforce your PRIVATE KEY passphrase you have much bigger problems to take care of because you already got pwned
>>101394141are you sure you're not responding on both the high port and 22?
submarine cables should be cut.
I bought a Chinese router from seeed studio that had like 5 different ip snooping services preinstalled, lol.
>>101402647>not leveraging defense in depthmy private key is properly secured, but i much rather have those IP's perma blocked anyways
>>101402052Please spoonfeed me that line, I'm new to pf
>>101403790Adjust max-src-conn-rate accordingly, 3/30 works well for me.table <abuse> persistpass inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn-rate 3/30, overload <abuse> flush)block quick from <abuse>
table <abuse> persistpass inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn-rate 3/30, overload <abuse> flush)block quick from <abuse>