My ssh server has been under a crazy botnet attack for the last couple of days. I shut the server down for 24 hours, and when I started it back up today they just came right back.
I have some really good rules that take care of automatically banning any IP address that attempts to connect more than 3 times in 5 minutes, but it’s not a permanent ban. I’m issuing permanent bans on the ones that are trying to connect today, but there are so many I don’t think it’s even worth my time. I have a very limited number of users that can log in via ssh, and these dictionary attacks won’t be very good at breaking into their accounts. Good passwords on the side also help, but it’s just annoying to see repeated login attempts in my logfiles and on my real-time monitor.