# Should I report spurious ssh login attempts?

## Goverp

I've a raspberry pi that lives purely to tell me that power is on - I ping it using ssh, and if it's not there, something's up with power.

It's got a UFW firewall with rate limiting on ssh, and ssh config to disallow passwords and root, and sits behind a router firewall with port forwarding for ssh (only).

So, the script kiddies of the world keep trying to sign in.  I have a little script that looks at lastb output and counts the number of different IP addresses where these kiddies claim to be signing on since yesterday.  Usually AWS accounts or the like.

Should I tell/complain to AWS or whoever?  At the moment, it's just a honeypot to distract them slightly.

----------

## mike155

Have you heard about the cosmic background radiation? The radiation that's simply there - everywhere - and you can't do anything about it?

Think of those login attempts as a kind of background noise in the internet. No matter where, no matter when... Whenever you connect a host to the internet, it will only take a few seconds before the first SSH login attempts arrive. There's nothing you can do about it. Just ignore those login attempts. Or configure your SSH server to listen on a port different than 22. This helps is most cases.  :Laughing: 

----------

## NeddySeagoon

Goverp,

The IPv4 address space is full. No matter were someone does a port scan, they get a response.

You can use a non standard port, switch to IPv6, only, as that's not full yet :)

----------

## Jaglover

Think how easy it is to scan large IP blocks for open ports, just fire up your script ... I think the whole IPv4 address space is under constant scan. As mike155 said.

----------

## steve_v

Two words: fail2ban, and geoblocking.

Other than that, yeah. You run something on port 22, you expect bruteforce bots and skids. That's just the way the universe is.

----------

## pietinger

There is something you should know about (black hat) hackers: They dont use their own computer for scanning ports or trying scripted actions. They have a lot of already hacked windows computers and use these as transit station. You will only see the IP address of an innocent private (and untaught) user. More bad: Many private users dont have a static (global) IP address. Their network provider gave them a temporary IP address for some days. After this they got a new one ...  so a block of this address doesnt help you in any case ... if you would try to block these addresses you will have soon a big database  :Wink: 

If you want to check an IP address take a look into: https://www.abuseipdb.com

----------

## Hu

Decades ago, reporting might have meant something.  Now, the best you could hope for is that the offending system is part of a botnet and that your report alerts the legitimate operator of the system to go discover the bot and get out of the botnet.  However, like the other posters here, I suspect this will likely waste your time with little or nothing to show for it.  Even getting the notification to the legitimate owner will be a significant undertaking, and there's no guarantee the owner won't delete your message without acting on it.

----------

## pjp

If for some reason using a different port is undesirable, port knocking may be worth consideration to reduce logging noise.

----------

## Goverp

 *Hu wrote:*   

> Decades ago, reporting might have meant something.  Now, the best you could hope for is that the offending system is part of a botnet and that your report alerts the legitimate operator of the system to go discover the bot and get out of the botnet.  However, like the other posters here, I suspect this will likely waste your time with little or nothing to show for it.  Even getting the notification to the legitimate owner will be a significant undertaking, and there's no guarantee the owner won't delete your message without acting on it.

 

OK, that was along the lines I was thinking: my question was meant as "would the legitimate operator be interested".  If not, I won't bother.

I'm not concerned about the idiots trying to get in (until the next security hole in ssh), so at least I'm consuming some small part of their effort.  If they do get in, there's nothing there.

----------

## Jaglover

Once upon time I ran MPD in my router, opened the port for a friend. In two days I got more "friends" I ever wished for.   :Shocked: 

----------

## Hu

The legitimate owners should care, but some won't.  Even for those that do, reaching them is probably not worth the trouble.

----------

## figueroa

I've had good luck changing ports and finding one less popular than one I had been using. The default port should be a non-starter. Pick a four digit number and start there. I have had to change ports a couple of times on more than one host in the past. 

net-analyzer/fail2ban is a real winner. I'm using stringent settings in /etc/fail2ban/jail.local:

```
bantime = 72h

findtime = 48h

maxretry = 3
```

In other words, on the third failed attempt within 48 hours, the IP is banned for 72 hours.

maxretry = 2 would also be OK. But, I don't have repeat offenders as it is.

----------

## Goverp

For amusement, here's the list of most popular account names people try on this box, with counts, since the last reboot:

```
4436 telecoma

4545 tech

4554 demo

4626 administ

4680 web

4690 ubnt

4697 support

4791 admin1

4850 profile1

4870 user1

4927 MikroTik

5007 user

5028 default

7125 admin
```

and the most popular IP addresses for the purported origins.

(I guess there would be a small benefit by incorporating some sensible sorting, aggregation and whois lookups):

```
280 101.109.142.5

280 102.132.76.198

280 103.120.175.116

280 103.144.14.204

280 103.145.19.146

280 103.25.242.130

280 103.59.58.29

280 105.189.32.48

280 109.125.148.9

280 110.224.217.136

280 111.68.96.34

280 112.121.223.223

280 112.210.160.251

280 113.186.253.113

280 115.77.68.190

280 115.96.217.16

280 116.103.152.87

280 117.247.136.110

280 118.96.170.52

280 1.2.168.171

280 122.161.165.73

280 122.168.190.139

280 122.180.255.222

280 122.181.121.240

280 122.183.41.45

280 123.201.227.36

280 124.13.239.105

280 124.253.120.152

280 125.166.220.45

280 128.106.99.157

280 131.196.4.146

280 138.99.93.61

280 141.179.54.243

280 14.160.198.232

280 148.255.251.184

280 1.55.78.83

280 156.215.184.78

280 168.205.100.146

280 170.78.28.38

280 170.84.58.105

280 171.224.178.50

280 171.225.250.89

280 171.229.244.238

280 175.196.196.157

280 179.181.197.119

280 179.192.197.113

280 180.241.8.4

280 180.244.132.31

280 180.244.172.199

280 180.244.173.94

280 180.251.113.115

280 181.46.166.66

280 182.191.34.156

280 186.12.224.14

280 186.169.44.171

280 186.188.202.115

280 186.95.155.2

280 187.111.253.38

280 188.247.44.58

280 188.84.41.75

280 189.38.238.26

280 192.141.240.9

280 193.36.60.253

280 196.206.231.73

280 197.211.14.253

280 197.251.185.209

280 200.222.237.83

280 202.124.36.82

280 203.76.249.187

280 206.172.106.155

280 213.131.56.66

280 213.74.145.7

280 223.136.116.200

280 223.206.21.170

280 2.50.132.43

280 2.50.13.51

280 27.34.13.250

280 31.207.168.22

280 36.81.246.83

280 37.144.205.31

280 41.251.118.152

280 41.83.108.240

280 42.113.114.140

280 43.231.78.98

280 45.45.15.157

280 45.9.46.164

280 46.39.43.40

280 47.11.66.215

280 49.32.251.47

280 49.36.40.241

280 49.37.38.11

280 51.39.228.32

280 5.35.145.252

280 58.8.141.63

280 59.4.72.200

280 59.93.241.177

280 66.181.161.32

280 78.98.58.76

280 81.30.217.50

280 81.92.251.116

280 83.110.94.175

280 85.97.200.178

280 87.143.254.67

280 94.43.138.241

280 95.104.50.158
```

----------

## Goverp

A minor update: since a recent system update, the number of spurious sign-in attempts has plummeted; only around 100 a day.  (My system feels quite lonely now!)

Perhaps that's down to OpenSSH disabling SHA-1 by default.  Maybe they were hoping to find a way in through that.

----------

## Anon-E-moose

For things like ssh, I like to use the firewall to filter out IP's by region.

I don't know anyone from Bahrain, Afghanistan or places in China, Russia, etc. so I just mass block those off, stops a lot of crap early on.

And I set it up to drop packets that don't meet my criteria for entry, not return "any" reply

----------

## figueroa

Fail2Ban continues to work its magic. At the school, Geoloc banned any ssh requests not=usa. I still had to swap a couple sshd ports. Now we get none/month. At home, I had one last week, first in over a month, from China. I don't geographically ban at home.

Keyword = Fail2Ban

----------

