DO Ideas 2

Brute Force SSH attacks

Some kind of option that can be added at the creation of the droplet to use switch or router level blacklists? This way those of us that want set-it and forget-it protection can just turn this on, maybe use a protected gateway. Those who may be doing security research and want to see all the ugliness coming in to analyze logs can just not enable the protected gateway. A win-win for everyone. Maybe even a way to collect data from the hive to report offenders or attacks automatically, protecting everyone.

Starting about a year ago all of my servers started experiencing continuous brute force SSH attacks (usually originating from China). I installed fail2ban on my personal droplet and then on to 6 other droplets I manage for clients. Watching my email notifications come in, I quickly realized I had to up my ban time to at least 3 weeks. Still the attacks kept coming, even ones that were banned for 3 weeks came back for more. My iptables were filling up with IPs to block and my inbox was getting inundated. I thought to myself, digital ocean has to know their networks are getting flooded by these same repeat offenders, negatively effecting everything from their clients to their networks, but they have done nothing to help us. Can you start blacklisting and blocking these IPs at the switch level to help us admins, Right now we're all easy targets, wasting bandwidth and CPUs cycles on attacks that can and should be blocked.

  • Carl Moebis
  • Sep 11 2018
  • Attach files
  • Ben commented
    September 11, 2018 16:44

    I've taken to permanently firewalling blocks that seem to produce a lot of ssh brute-forcing (as you note, most of them seem to be in China - I at this point have several province-wide network blocks firewalled - I'm occasionally tempted to see If I can find a list of all China Netblocks and just block the whole country). Anymore, I keep an eye on the fail2ban report in logwatch, and if I see multiple bans come up in the same /24, I firewall off *at least* that /24.