Beware! Coordinated SSH brute force campaign
Explore my NLP research and published research.
There have been sustained, multi-source credential stuffing and dictionary attacks against my SSH daemon across 4 consecutive days, as shown in my Fail2Ban logs. Several patterns stand out.
77.83.39.153 is the primary threat. This single IP from a Netherlands hosting provider (Serverius) accounts for roughly 60% of all attempts. What makes it particularly concerning is its behavior after each fail2ban unban, it resumes immediately without any cool-down. This suggests an automated botnet script that monitors connectivity rather than an opportunistic scanner. It was banned 9 times across 4 days, meaning the 30-minute ban window is not deterring it at all.
2.57.122.162 is deliberately slow-scanning to avoid bans. This LeaseWeb IP never triggered a ban despite appearing across all 4 days. The attacker is pacing attempts at intervals just below your maxretry threshold. This is a classic evasion technique. This is arguably more dangerous than the noisy 77.83.39.153 because it's operating below the usual detection floor indefinitely.
The coordinated multi-IP clusters are botnet signatures. Between 07:00–07:30 on March 15, around a dozen IPs from Japan, Korea, Brazil, and the Philippines all hit my server simultaneously with ~2-minute intervals between each. This is a distributed botnet working a shared target list, not independent actors.
Cloud provider IPs (Azure, DigitalOcean, Alibaba Cloud, DigitalOcean) appear throughout, suggesting compromised VMs are being used as attack relays. This is a common tactic to evade IP reputation blocklists.
I have already done the following recommended hardening steps, and I'm posting it here to help others as well:
- Change SSH to a non-standard port to eliminate the bulk of automated scans
- Enforce key-only authentication (
PasswordAuthentication noin sshd_config) - Increase fail2ban
bantimeto at least 24 hours, or use permanent bans withbantime = -1for repeat offenders - Add 77.83.39.153 and 2.57.122.162 to UFW as permanent denies immediately
- Consider
maxretry = 3if it isn't already. Most logs show 10+ attempts before a ban triggers
Related Articles
The "Cart Before the Horse" Legacy of Philippine Legislation: Doing More Harm to Tech Startups than to Tech Predators
It is a well-observed reality in Philippine governance: the country has no shortage of brilliant, world-class minds drafting laws that look spectacular on paper. However, there is a systemic disconnect …
Read More →Brutal 4 AM Layoff Email by Meta
The news just broke about Meta laying off another 8,000 employees. Thousands of people woke up to a 4 AM email stating their roles were eliminated. Their system access was …
Read More →The Truth About Bot Clicks: Are AI Agents Bypassing Your Email Verification?
I woke up today to a flooded inbox. It was filled with multiple notifications for new confirmed subscribers. I recently added a double opt-in layer to my website. So if …
Read More →Subscribe to Updates
Get notified about new blog posts, AI insights, and digital transformation strategies.
We respect your privacy. Unsubscribe at any time.