Have malicious SSH attacks increased since COVID-19 began? Yes.

Sometime in the middle of February, I started noticing a marked increase in failed SSH logins on my two servers. Using the program fail2ban, I have long blocked logins by IP addresses that attempt to use root, www-data, or similar generic logins via SSH. IPs are blocked for a full year. Root logins and password authentication are both disabled in the SSHD config. In other words: I’m the only one who can login, goddamnit.

In a normal 24hr period, there are on average 20-30 failed logins. By mid-February, I was getting 40-50. By early March, as many as 100. On the 7th, I went off to Code4Lib in Pittsburgh and new fails per 24hrs hit 150 per night. A few days after I got back from Pittsburgh, a torrent unleashed itself and new fails peaked ~500 per 24hrs around 2020-03-16. By the time I started tracking new fails per night on 2020-03-27, I had hit somewhere ~5500 total failed IPs in just over a month and a half. I began to think that the groups that engage in these kind of malicious login attempts were taking advantage of the outbreak of COVID-19, which was overwhelming and shocking and everything else. It’s a period I’ll never forget.

At midnight on the 27th, I took a deep gulp and unbanned every IP that’d been blocked. The first fail was maybe 20 seconds later. But at the same time, the rate of new fails slowed considerably from its peak earlier in March.

Methodology

What counts as a fail?

  • any attempt to use a password for SSH login
  • any attempt to login as root

While yes, both of those things are banned already in the SSHD config, but since fail2ban acts as a firewall of sorts, it’s a good thing to have. It also does much more than SSH. I picked SSH for this experiment because it’s the most logical vector of attack, if you’re attempting to hijack a machine.

  • anelki.net is the machine that runs this site and a few other things based on a Hetzner VPS in Germany. It was on Linode in Germany until the end of March when it moved to Hetzner.

  • wirefox is a VPN and Pi-Hole VPS on Linode near New York City.

Results

This is obviously only my microscopic corner of the web, so I’d be really interested in hearing from other people about this. My contact info is here.

anelki.net wirefox
Total Fails 4632 4298
Average Fails per 24hrs 145 134
Median Fails per 24hrs 141 146
Peak Fails on 2020-04-10 414 281

link to data (ODS, XSLX, and Numbers)

Pretty Charts

Total number of fails (Larger)

Number of new fails per 24hr reporting period (Larger)

welt ohne ordnung: ein offenen brief an gott

lieber Gott,

ich will nicht hier nicht umgehen mit der Frage, ob du wirklich da bist. Es ist jetzt die Osterzeit (weißt du eh schon) und ist üblich für mich als gebürtige Katholikin wieder ein bissl religiöser zu sein. Deswegen appelliere ich für deine Hilfe während dieser schwierigen—nein lieber überwältigen—Zeit.

Wir leben jetzt in einer Welt ohne Ordnung. Ich meine hier nicht „eine Weltdiktatur“ sondern nur eine Welt in der die Herrschern der (dir sei Dank) bunten Ländern ihre gemeinsame Interessen dient. Für Klimaschutz. Gegen Kriege. Die Gemeingute zulieb, usw…

Spreche ich hier nichts von Covid usw., da es nicht nötig ist. Die Schmerz hat meine Seele seit Wochen geflutet.

Es ist wirklich schwere für mich (oder wahrscheinlich fast alle auf Erden), das Maß dieser Krise berechnen zu können. Vielleicht auch für dich. Aber, du bist allerdings für deine Allmächtigkeit überall bekannt.

Ich hoffe, daß während dieser Ausnahmezustand, du nimmst Zeit für dich! Gute Bücher lesen, ins Tagebuch schreiben, Kunst machen, irgendwas du willst. Und ein frohes und gesegnetes Osterfest! Was ich tun würde, bei meiner Oma „Mim“ mit Honey Ham und Fresca sein zu können. Wie die „alten guten Zeiten.“ Sag ihr bitte hallo von mir.

liebe grüße,
anelki

edit 2020-04-12 01:09

ps., hier bin ich auch mit den wünchen und gebeten des Papsts einverstanden. Für eine schnelle Ende der Epidemie, für Weltfrieden, und so weiter und sofort. aber bitte.

internet friends

Music: Thee More Shallows “2AM”

this post was completely rewritten on 2020-04-06

Back in the day, I wrote a livejournal. I still remember my username and I’ve gone back to look at it a few times. It’s just as embarrassing as you might expect.

But the one thing that I still think about from that time is the fact that I made some genuine (if indeed tenuous) friendships. And despite the fact that those days have long passed (15+ years, after all), those friendships are still valuable and have meaning. In some small way, they made me part of who I am today.

And all of our friendships do that to some degree or another. We might look back on things with different eyes, in my case with disgust or embarrassment. But things always look different after the fact.

I mention this because in autumn 2019, I started getting back into blogging again. I also started using internet relay chat (IRC). First through Code4Lib’s channel on Freenode, then ArchiveTeam’s channels on EFnet, and finally into the Tildeverse, a group of shared Linux/BSD servers for collaborative learning and exploration.1

I’ve met some really cool folks in the tildeverse. Some folks are neighbors (/me waves at cm). Others have excellent taste in music (gb) and others are just awesome and have taught me a lot about sysadmin-ing (thanks, ben). And I can’t leave out js who’s one of my favorites. or favourites, she might perfer. They’re good folks and I’m very grateful to know all of them.

But one person is missing at a time when we need our ‘internet friends’ more than ever and that’s ynx. ynx was my first real friend on IRC, they made me feel welcome, they talked to me when I didn’t really know anyone else. When IRL things started to go a bit sideways, it was nice to have someone to just chat with.

I miss you, ynx. I think I know why you left tilde.chat and I understand. I know things are bad right now, the world is in a dark place and the forecast isn’t calling for sunshine anytime soon. But the thing about friends is that we help one another when the skies are gray. And I want you to know that I’m here for you, if you ever need it.

Just /msg me.

your friend,
anelki

This does seem a little bit silly to put out there like this. But such are the times.

Part of the deal with internet friends is that they can be ephemeral. Sad, but that’s just how it is, I guess.

But they don’t have to be.


  1. the story of those came into being as told by their founder Paul Ford. And here’s the essay that pointed me to them. ↩︎