Who Is That Knocking at My (SSH) Door?

 (sheep.horse)

20 points | by speckx 2 days ago

2 comments

  • comrade1234 2 hours ago
    Lot of words to write about something that has been happening for literally decades. You'll learn to ignore it like everyone else and just move on. Or even better, set up fail2ban with the recidive jail to at least reduce the size of your daily server report email.
    [-]
    • voidUpdate 2 hours ago
      I found it interesting. The part about the scripts trying "sheep" as the username was new to me. Not everybody knows everything, so it's nice to read a little article about new things
      [-]
      • iso1631 1 hour ago
        I found it interesting but a honeypot would have been interesting -- how long do they spend trying passwords for example.
        [-]
    • c0l0 1 hour ago
      I recommend https://johannes.truschnigg.info/writing/2025-02-simple_effe... as an (imo) better approach than fail2ban parsing your logs to deal with the problem.
    • anygivnthursday 2 hours ago
      Often enough to switch to a different port to drastically cut down the noise, most bots probe the defaults.
      [-]
      • tardedmeme 1 hour ago
        Or use IPv6 - they'll never guess the address.
    • justsomehnguy 1 hour ago
      xkcd 10000
  • Meneth 1 hour ago
    I got tired of dealing with SSH knocks and blocked the port for all external IPs, using WireGuard to get into the LAN.

    WireGuard is nice because, unlike most other services, it operates on UDP and sends no reply packet unless you know the key, so attackers can't discover it by portscanning.

    [-]
    • tardedmeme 1 hour ago
      Unless all your other ports are sending reject packets