2017-11-15
Lots and lots of distributed SSH scanning
I am noticing lots and lots of distributed SSH scanning, not doing enough attempts from one IP address to trigger fail2ban. Timing and choice of login names used suggest a strong link between the ssh attempts even when source IPs are very different. Login names also refer to websites hosted on the same address. At a given moment I started wondering if this was just me, but others reported the same and exchanging IP address lists showed a lot of matches between attacks on totally unrelated systems.