Have malicious SSH attacks increased since COVID-19 began? Yes.

Sometime in the middle of February, I started noticing a marked increase in failed SSH logins on my two servers. Using the program fail2ban, I have long blocked logins by IP addresses that attempt to use root, www-data, or similar generic logins via SSH. IPs are blocked for a full year. Root logins and password authentication are both disabled in the SSHD config. In other words: I’m the only one who can login, goddamnit.

In a normal 24hr period, there are on average 20-30 failed logins. By mid-February, I was getting 40-50. By early March, as many as 100. On the 7th, I went off to Code4Lib in Pittsburgh and new fails per 24hrs hit 150 per night. A few days after I got back from Pittsburgh, a torrent unleashed itself and new fails peaked ~500 per 24hrs around 2020-03-16. By the time I started tracking new fails per night on 2020-03-27, I had hit somewhere ~5500 total failed IPs in just over a month and a half. I began to think that the groups that engage in these kind of malicious login attempts were taking advantage of the outbreak of COVID-19, which was overwhelming and shocking and everything else. It’s a period I’ll never forget.

At midnight on the 27th, I took a deep gulp and unbanned every IP that’d been blocked. The first fail was maybe 20 seconds later. But at the same time, the rate of new fails slowed considerably from its peak earlier in March.


What counts as a fail?

  • any attempt to use a password for SSH login
  • any attempt to login as root

While yes, both of those things are banned already in the SSHD config, but since fail2ban acts as a firewall of sorts, it’s a good thing to have. It also does much more than SSH. I picked SSH for this experiment because it’s the most logical vector of attack, if you’re attempting to hijack a machine.

  • anelki.net is the machine that runs this site and a few other things based on a Hetzner VPS in Germany. It was on Linode in Germany until the end of March when it moved to Hetzner.

  • wirefox is a VPN and Pi-Hole VPS on Linode near New York City.


This is obviously only my microscopic corner of the web, so I’d be really interested in hearing from other people about this. My contact info is here.

anelki.net wirefox
Total Fails 4632 4298
Average Fails per 24hrs 145 134
Median Fails per 24hrs 141 146
Peak Fails on 2020-04-10 414 281

link to data (ODS, XSLX, and Numbers)

Pretty Charts

Total number of fails (Larger)

Number of new fails per 24hr reporting period (Larger)