SSH being constantly probed

For the last 2 weeks, someone (apparently some bot automatically running) is trying to log into SSH with different ports, IPs and usernames.
Apart from the annoying emails every 5 minutes telling me an IP was blocked - is there anything I can do to block this guy?
I've reduced the wrong tries to get blocked to 2 and the period increased to 120 minutes.


Anything else you might advise?

Normal activity.
2 attempts is a bit severe, though if you use login keys, as you should, then that's fine.
Don't block temporarily, block permanently!
Be sure to use IPset and maintain a fairly large blocklist - I usually have 800, in addition to csf.blocklists, country blocklists and AWS blocked.
Why bother to get sent emails, just set to no notification?

All easily done if you have the official CSF GUI available on your CWP installation.

By official CSF GUI, do you refer to this screenshot?
https://pasteboard.co/Jqo5qgf.png


As to blocking it completely - then I wouldn't be able to login to FTP and SSH with my keys...
As to IPset, never heard of it. I'll check.

By official CSF GUI, do you refer to this screenshot?
https://pasteboard.co/Jqo5qgf.png

No, that's one of a pair of crap CWP-derived interfaces. They used to supply the official GUI but removed it, instead of removing their own version(s). Fortunately, I saved a copy of the files from an older release.

As to blocking it completely - then I wouldn't be able to login to FTP and SSH with my keys...
As to IPset, never heard of it. I'll check.

Nope, you can exempt yourself from blocks. In any case only blocks for failed attempts.
Read https://download.configserver.com/csf/readme.txt and /etc/csf/csf.conf

Official GUI is shown here:
https://configserver.com/cp/csf.html

Be sure to use IPset and maintain a fairly large blocklist - I usually have 800, in addition to csf.blocklists, country blocklists and AWS blocked.

I've installed and configured IPset 48 hours ago and still getting lots of notifications.

Be sure to use IPset and maintain a fairly large blocklist - I usually have 800, in addition to csf.blocklists, country blocklists and AWS blocked.

I've installed and configured IPset 48 hours ago and still getting lots of notifications.

You don't appear to comprehend instructions too well. 
On a silver plate, with matching cutlery..

Code: [Select]

LF_EMAIL_ALERT  = OFF

Not getting alerts doesn't say SSH is not being attacked constantly.
On the contrary, I want to be aware of such, but am wondering if there's anything i can do to stop it.

Change default port 22 and use key authentication.
LF_DISTATTACK = ON
LF_DISTATTACK_UNIQ = 2
Block certain countries, depending on your required 'market' eg. CN,TH,TW,RU,IL,BR,AG,SG,IN,PK,HK
(Still a lot from the USA though.)
Block AWS, Contabo, DO and GCloud.
Block all other lusers on your provider's LAN.
Other than that nearly nothing - it's a consequence of being on the 'net.

You could limit ssh access to a particular VPN but is of limited use, in terms of actual port scanning.

(My record for setting up a server and getting attacks, is 1400 failed logins, in the time it takes to do an apt update and change ssh to key authentication!)

Here's an example of what you can add to your blocklists..

Code: [Select]

# Digital Ocean
DOCEAN|86400|0|https://asn.ipinfo.app/api/text/list/AS14061

# Contabo
CONTABO|86400|0|https://asn.ipinfo.app/api/text/list/51167I have custom scripts to generate lists for AWS, GCloud (googleusercontent) and so-called research threats (eg. Shodan.io)