Looks like i was quite lucky. At the moment, i was looking at the server notifications and fail2ban started screaming.
Almost 30 different IP addresses were blocked for ssh attack. And the locations are all around the world.
It was a server exposed online via some subdomain. Some ports were open, including 22. Is this something to be expected always?
What do the guy expect?
Does it make sense to report this to DigitalOcean as several of those IPs belong to DO?
118.45.151.148
125.91.123.149
43.134.180.30
128.199.208.187
43.133.33.240
43.163.218.44
43.156.238.11
129.226.91.96
43.156.240.201
43.134.33.175
43.153.226.222
43.134.231.46
43.154.189.227
159.223.74.41
156.232.11.117
156.232.13.213
43.134.132.76
43.153.202.243
43.134.230.140
43.156.101.180
64.227.176.121
43.159.40.202
124.156.2.182
146.190.142.125
139.59.160.73
49.51.183.1
68.168.132.152
94.72.4.20
103.180.149.5
You’re using standard ports so it’ll happen constantly.
I moved all my ssh to nonstandard ports.
Bots will find it pretty quickly. Remember the first thing that happens when you connect to an SSH server is get a message saying “Hi, I’m an SSH server! How are you today?”.