2017-11-15 Lots and lots of distributed SSH scanning 2 months ago
I am noticing lots and lots of distributed SSH scanning, not doing enough attempts from one IP address to trigger fail2ban. Timing and choice of login names used suggest a strong link between the ssh attempts even when source IPs are very different. Login names also refer to websites hosted on the same address. At a given moment I started wondering if this was just me, but others reported the same and exchanging IP address lists showed a lot of matches between attacks on totally unrelated systems.