I am suddenly seeing a mass of bruteforce ssh attacks on my personal server. I am using fail2ban, and the attacks are causing fail2ban to have significant CPU load just to keep up with the banning. That's how I noticed the attack - because fail2ban kept spiking up to 100% CPU usage.
I have increased ban time, but I am seeing bruteforce attacks come in from a huge mass of IP addresses, presumably through a botnet.
Is this the current state of affairs for all servers in 2020, or am I being specifically targeted? (though I can't imagine why, there's nothing of value on my server).
I've turned off PasswordAuthentication and now I just see the connect and disconnect, so that's holding them off for now, but it's still using up networking and CPU resources on my server to deal with the attack.
I assume it's not some sort of IP spoofing, since it uses the same IP multiple times until it gets banned. Not even sure if one can spoof the IP address to sshd.
So the question is - is this normal or do I have reason to believe that someone is intentionally attacking my server specifically? And follow-up, is there a good way to stop this attack from using up my resources, or should I just let it run it's course until whomever is controlling the botnet figures out that there's no way in?
I cannot use whitelisting on my ssh server because I need to be logged in from multiple locations.
0 Answers