Leave any server running for .0002s and you will find a chink trying to access
That's why I firewall any connection except from whitelisted ips

What I'd like to know is how quickly a single machine can scan a server for vulnerabilities/open access. Up to 4.3 billion ipv4 addresses, assuming it takes 1 second to scan each one it would still take you over 100 years to scan all of them. Anyone know how these bots work in practice?

>>101390276
I'm using fail2ban as I need to access it from random places sometimes

>>101390252
>FEDora
>Is surprised when China tracks them
You deserve this

PRC has most sophisticated and largest cyber operations in the world. This is all automated. They don't even assign agents to deploy the exploits. You get rekt automatically.

>>101390296
They already have the compute infrastructure to monitor 1.4 billion people in realtime they simply put less attention on those who toe the line and redeploy it to foreign addresses. This is what the social credit score is used for.

>change the ssh port to a random high number
>chinks trying to connect stop
prc defeated

File: osaka mewing.jpg (72 KB, 1091x850)

72 KB JPG

>>101390252
>Received disconnect from 47.52.198.243 port 51076.11: Bye Bye [preauth]
>Bye Bye [preauth]
>Bye Bye

>>101390296
you can scan addresses in parallel
maintain 100 concurrent connections and it will only take you a year

>>101390296
the only pragmatic way it's possible is to reduce drastically the universe of the IPs to scan, which means the chinese have secretly introduced a worm in the distros to connect to heir servers, thus getting instantly the knowledge IPs to scan .

>>101390252
putting ssh (or anything) behind wireguard defeats the chink/ruskie

>>101390380
>PRC has most sophisticated and largest cyber operations in the world
lmao. never happened. they are literally script kiddy level attacks that are extremely amateur.

>>101390390
>They already have the compute infrastructure to monitor 1.4 billion people
they don't. their systems are extremely fragmented. stop believing chink propaganda.

>>101390704
the chinks scan known IP ranges for vulnerable VPS/servers of known ISPs, telcos etc. ching chong, xiang lee woo.

>>101390307
bloat, just use an auth key instead of password and voila

File: russ.png (29 KB, 1055x304)

29 KB PNG

Russia getting in on the action

>>101390252
first time opening a network to the world and seeing just how bad it is?

>>101390780
Different anon, I don‘t use fail2 ban myself, but I can argue using auth key alone doesn‘t prevent clients trying to exploit sshd. Fail2ban blocks them in the client firewall.

File: .png (169 KB, 889x777)

169 KB PNG

I use a simple, custom geoip script to block access
if I'm counting correctly, in this random sample, there's
1 singapore ip
1 russia ip
1 japan ip
2 india ips
2 vietnam ips
2 china ips
5 usa ips

>>101390995
dangerously based chad. it's the best way to filter 99% of the fucking shit.

>>101390995
>>101391086
>>101390995
>geoip script to
that just mean you indiscriminately block access to genuine people who want to see your website

>>101391252
no, dummy
this is an SSH thread
y'know, the program that adds remote access to your pc
even if it was a site, if way too many ips from the same country show errant behavior then just block them all

>>101391252
> no seriously! i am this fucking retarded!
fuck off, retard.

>>101391252
And mobile providers. Some Verizon LTE connections will geolocate to Canada, even with commercial databases.

>>101390995
>5 usa ips
USA! USA!

>>101390995
Pretty cool, how is it implemented? Do you have a geoip database?

Just moved the ssh port to some higher one and never saw anyone trying to connect to it again

>>101390995
forever or for how much time?

>>101392489
kinda, I just use "geoiplookup" command to convert an ip into a country
use it in a script to check if the country is the one I set or if the ip is local
and then I use "etc hosts allow" to block the connections
this idea isn't mine

>>101392539
I'm running mine on a high port too (60k+) and yet I still receive around 1k connections a day

>>101392829
it's not a ban, it just refuses requests from outside my country
yeah, forever I guess

>>101392539
I'm 2222 and I get a fucking shitton

>>101390296
using zmap you can scan the entire IPv4 space in under 45 minutes if you have gigabit Ethernet

>>101390380
The PRC operates within the bounds the US CIA allows. The CIA knows every single thing these amateurs are doing and allows them to access unimportant targets and honeypots to lull them into a false sense of superiority.
In actuality, the US CIA has tools that can hack into and access the most secure of China's infrastructure. Every single communication made in Asia and Europe is tracked, and China knows this, and China is powerless to do anything about it.

>>101393185
this is the single most retarded cope I have ever seen

>>101390319
>>FEDora
New level of schizo unlocked

>>101390276
how do i block chinese ips from accessing my server? i'm on debian 12, i have nginx and a cloudflare tunnel

>>101390399
i did this and it doesn't work

>>101394006
iptables

>>101394006
ufw

>>101394006
iptables, fail2ban, moving your SSH port to a non-standard one (no, not 222, 2222 or 2024 either)

also, enforce public key authentication (us a strong curve like Curve448 if your SSH daemon supports it. If not, use Curve25519) and completely disable password authentication

Just use port knocking

>>101390252
They're likely going to test for this new OpenSSH vuln.

>>101394326
The openssh vuln is the biggest nothingburger of lal time. It theoretically takes weeks to exploit on a x64 system with ASLR, and no test has actually been carried out proving it's possible.

>>101394311
I'm 2222 what's wrong with that?

>>101390296
they probably only scan ranges associated with certain countries

>>101394372
it's literally 22 twice
and it's a low number
atleast try 22222

just harden your ssh at ssh-audit.com and most of the bots wont be able to negotiate as they are running old out of date python with shitty old ssh libraries.

If you wanna fuck with them add a really long VersionAddendum in sshd_config after testing locally that your client can handle it. 200+ characters is enough to get most bots stuck.

>>101390252
Just rangeban China, Russia and other third-world shitholes and put SSH on some random high port (ideally above 10000). putting it behind VPN also helps.

>>101394563
I would just put some high random number. They could also be trying these easy to remember numbers.

>>101394372
it's another commonly used port, I change mine to a randomly generated number between 10240 and 65536 every month or so.

>>101394563
that's not much better

>>101390307
Just use wireguard

>>101394710
>>101390715
I though everybody did this, why would you just open your SSH to the world? It's not like you want randoms connecting to it

>>101394710
>>101394826
is that pay2use?

>>101394875
No, it's mostly GPL I think. It's also just a VPN, I don't see why you couldn't use OpenVPN instead, but I'm not a cybersecurity autist.
I like to set up all my stuff on a vlan.

>>101394826
I need "all hell went loose" kind of remote. OpenVPN is a transport layer that can go offline, any VPN is, for that matter. I need a backup remote port for my infra that I visit maybe few times a year, physically.

>>101395147
Sshd can go down too fucktard
Anyways I said it before and I'll say it again. Just use port knocking.

>>101395211
>Just use port knocking.
You can't just use that. It requires thinking, thinking is hard.

File: 1696223802889234.jpg (121 KB, 1024x1021)

121 KB JPG

Chinks always try it break into things

>>101390276
>>101390252
Russia loves to do it, too.
My grandpa used to have an old machine in the early 2000s that he had set up with an absurdly weak password and after 10ish seconds a script would announce (using the wall command) that the computer was "very tired" and was going to take a nap before rebooting.

>>101394826
Because you can't break my SSH key. It makes no sense to worry about autistic additional security when SSH keys are essentially unbreakable.

My logs look like OP's every day and I just ignore it. They never get in.

>>101395321
Yup, this is just the last six hours of failed logins.

File: listb.png (362 KB, 2304x1296)

362 KB PNG

>>101395860
I mean this

do retards here really expose ssh?
use authenticated hidden service and you will get zero pings

>>101390869
fail2ban doesn't even work for authkey anyway, it's only useful for password based authentication. with an authkey, your china hackermen can't even try to brute-force any password since they don't even have the key, so it's already game over for them before they even try.

so basically if you keep using password + fail2ban for SSH you are just lowering security, making your server more prone to attacks and letting a third party modifying your iptables and just polluting logs for no reason.

btw i'm speaking for SSH only, because fail2ban can be useful for other services like nginx, apache etc.

>>101395964
>use authenticated hidden service and you will get zero pings
zero pings but a 3 seconds latency between each inputs lol

>>101390296
you can port scan the entire ipv4 range in about 20 minutes. then collect all the IPs with port 22 opened and test ssh vulnerabilities on all of them

File: GjcEvJD.png (22 KB, 541x39)

22 KB PNG

>>101395860
kek

>>101390390
>China built computer infrastructure that actually works (First lie) and exceeds the West (Second lie)

You're not very bright, are you? You wouldn't just go and tell lies on the internet, would you?

HE DOESN'T BLOCK ALL CHINA IPS

NGMI

>>101393674
He’s not coping, but he’s ascribing capability to the CIA which comes from the NSA.

Also never sleep on Russia, those guys are like a drunken hobo who can wake up and complete his physics PhD anytime he wants.

>>101397850
>not datamining the chinks
negmi

>>101396369
>but a 3 seconds latency between each inputs lol
about 100ms for me
and implying ssh isnt aleady slow due to bloatcryption

File: 1594496420246.gif (1.18 MB, 900x900)

1.18 MB GIF

>have multiple exposed ssh servers on port 22
>thousands of failed login attempts every day
>don't give a shit because I have password auth disabled and patch my shit regularly

retards losing their minds over low effort automated scans and wasting their time trying to dodge/block them is so funny to me

>>101398255
>be me
>run ssh on port 22 with default configuration
>use a long password
>install fail2ban
That's all you need to do, key authentication is for pussies, I don't understand what securityniggers think the problem is with password auth.
It takes 5 seconds before sshd responds with a password and you're banned after 5-10 tries. Chinese bot farms can't even crack a 16-character password when they're computing sha256 hashes at millions per minute. How are they going to get into my linux box?

>>101398322
>>install fail2ban
not needed if you don't use password auth since pubkey auth cannot be bruteforced
and if your password is long and randomly generated, you're probably not going to memorize it so the only advantage of password auth is lost, might as well just use a key

>>101398406
>and if your password is long and randomly generated, you're probably not going to memorize it
It's not randomly generated. I remember mnemonics and am capable of creating variations that are sufficiently distinct from each other. I have passwords in my head that are up to 45 characters long.

>>101398733
>typing a 45 character password every time you need to login

>>101398746
What's the problem? It takes 10 seconds.

>>101398776
using a private key takes 0 seconds

>>101398781
It's a figure of speech. Typing a 45-character password you memorized should only take about 2 seconds.

>>101398781
private key with no password can be stolen by info stealer
then you're right back to needing a long password

>>101398781
Also think of all the time you're wasting setting up a private key.
>10 minutes of typing commands and editing config files
vs
>passwd

>>101398812
>10 seconds running an openssh command to generate a key and 30 seconds to add it to authorized_keys and disable password auth
>vs 5 hours changing your ssh port and adjusting your firewall accordingly, installing and setting up fail2ban, setting up geoip blocks, and whatever other cope you come up with because deep down you know your password auth is not secure

>>101398837
>installing and setting up fail2ban
apt install fail2ban

copy-ssh-id. done
if I where to open an ssh port externally I'd do it on some random port above 60000 so it would take a few seconds before the walk found it.

File: 1713974236068328.png (233 KB, 1537x924)

233 KB PNG

>>101390252
Today is a slow day.
On a good day, chang can put out 600 unsuccessful attacks/30min.

i rangebanned entire china, taiwan, russia and india because of this shit

>>101399008
What is that frontend called? It looks epic.

>>101394006
Zerotier vpn is free

>>101399063
It's actually a dashboard built using grafana.
The various widgets simply display the results of queries against the database table where the failed attacks are logged.
The database is populated by a daemon which parses the live system log.

>>101399168
Thats cool, I've seen some pretty sweet Grafana dashboards.

File: SSH_SILENCE_100038.png (116 KB, 262x262)

116 KB PNG

>>101394594
Just do this ^^^
then configure rsyslog to filter out the rest of the noise that remains. [SOLVED]

>>101390252
This is why I geoblock entire regions from connecting to my servers. China, Russia, India, Africa, the entire Middle East, Israel, Argentina, et cetera.

>>101391252
>that just mean you indiscriminately block access to genuine people who want to see your website
Fuck them, they shouldn't live in third world shit holes full of box pingers and street shitting rapists.

anons in this thread talking about how hard it is to scan the entire ipv4 internet probably don't know this exists
https://github.com/robertdavidgraham/masscan

>>101390276
Doesn't every router already do this by default?

Can someone explain what's up with that NL5xU... username. Both >>101390252 and >>101395909 have it.

File: 96832AAD-1AF0-4215-9610-E(...).png (761 KB, 874x864)

761 KB PNG

I have no idea what I'm looking at. What do I need to read or study to understand what is going on?

Why not: `iptables -A INPUT -p tcp --dport 22 -s Your.I.P.Address -j ACCEPT` and forget about it?

>>101399935
It's probably the same person.

>>101399858
masscan is easy to block as it does not set mss.

-A PREROUTING -d ${your_wan_ip}/32 -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 1220:1460 -j DROP

try it. also stops hping3 floods.

>>101399987
china men are trying to invade op's anus

>>101398322
>key authentication is for pussies
A 128 bit key is MILES ahead of regular passwords, and using Curve448 you get 224 bits.

but yeah, let's keep using passwords instead of a much more secure alternative.

>>101390252
this board is full of college kids and illiterate tech people. shit sucks

>>101401660
and if you need to frequently ssh into your server from different computers when traveling?

>>101390276
>I firewall
Finally someone with half a brain on this accursed website. T'was about time.

File: 1705308211746420.png (348 KB, 1201x896)

348 KB PNG

>>101390307
>making your system even more exploitable by using this piece of shit
lol lmao
you can do the same in pf literally with one line

>>101402052
It's literally just a script that blocks IPs if they make too many requests to configurable ports.

>>101402065
a script that parses logs and has been vulnerable in the past
it's completely stupid and pointless

File: Capture.jpg (31 KB, 642x419)

31 KB JPG

>>101390252
Believe it or not, but it's called 'advertisement'.
What a scummy culture.

File: Capture.jpg (30 KB, 627x418)

30 KB JPG

Alibaba really wants a partnership with you.

>>101402113
>>101402149
>/chinkshit general/ wants to know your location.

>>101390296
you don't have to wait for a scan to return before sending out the next probe.
also, rent VPSes in 10 or so datacenters across the world and you can now scan the entire internet in a matter of an hour

apt install fail2ban

I've actually had a break in a production server due to a weak password form this shit. The thing just mined bitcorns but it was a PITA to remove.

>>101396310
>it's only useful for password based authentication.
wrong. Still works with private keys and password login disabled in sshd_config

>>101390252
i hacking the box sars
i ping the ssh

>>101402606
>Still works with private keys
if you capture failed attempts from someone trying to bruteforce your PRIVATE KEY passphrase you have much bigger problems to take care of because you already got pwned

>>101394141
are you sure you're not responding on both the high port and 22?

submarine cables should be cut.

I bought a Chinese router from seeed studio that had like 5 different ip snooping services preinstalled, lol.

>>101402647
>not leveraging defense in depth
my private key is properly secured, but i much rather have those IP's perma blocked anyways

>>101402052
Please spoonfeed me that line, I'm new to pf

>>101403790
Adjust max-src-conn-rate accordingly, 3/30 works well for me.

table <abuse> persist

pass inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn-rate 3/30, overload <abuse> flush)

block quick from <abuse>