Beware! Coordinated SSH brute force campaign
Explore my NLP research and published research.
There have been sustained, multi-source credential stuffing and dictionary attacks against my SSH daemon across 4 consecutive days, as shown in my Fail2Ban logs. Several patterns stand out.
77.83.39.153 is the primary threat. This single IP from a Netherlands hosting provider (Serverius) accounts for roughly 60% of all attempts. What makes it particularly concerning is its behavior after each fail2ban unban, it resumes immediately without any cool-down. This suggests an automated botnet script that monitors connectivity rather than an opportunistic scanner. It was banned 9 times across 4 days, meaning the 30-minute ban window is not deterring it at all.
2.57.122.162 is deliberately slow-scanning to avoid bans. This LeaseWeb IP never triggered a ban despite appearing across all 4 days. The attacker is pacing attempts at intervals just below your maxretry threshold. This is a classic evasion technique. This is arguably more dangerous than the noisy 77.83.39.153 because it's operating below the usual detection floor indefinitely.
The coordinated multi-IP clusters are botnet signatures. Between 07:00–07:30 on March 15, around a dozen IPs from Japan, Korea, Brazil, and the Philippines all hit my server simultaneously with ~2-minute intervals between each. This is a distributed botnet working a shared target list, not independent actors.
Cloud provider IPs (Azure, DigitalOcean, Alibaba Cloud, DigitalOcean) appear throughout, suggesting compromised VMs are being used as attack relays. This is a common tactic to evade IP reputation blocklists.
I have already done the following recommended hardening steps, and I'm posting it here to help others as well:
- Change SSH to a non-standard port to eliminate the bulk of automated scans
- Enforce key-only authentication (
PasswordAuthentication noin sshd_config) - Increase fail2ban
bantimeto at least 24 hours, or use permanent bans withbantime = -1for repeat offenders - Add 77.83.39.153 and 2.57.122.162 to UFW as permanent denies immediately
- Consider
maxretry = 3if it isn't already. Most logs show 10+ attempts before a ban triggers
Related Articles
The "AI Prompt" Pandemic in Academic Publishing
I’ve been coming across a growing number of published journal articles and technical papers that have one thing in common: The AI's "closing suggestions" were left in the final text.From …
Read More →Compromised ISP Network? Botnet Brute Force and Compromised Infrastructure
I blocked a list of SSH brute-force attackers on my server's firewall, and the entire network lost Internet access. When I rolled back the rules, connectivity was restored. Here is …
Read More →Surviving the 2026 Energy Shock: Why AI Training is the Best "Recession-Proof" Investment
The March 2026 conflict between the US, Israel, and Iran has sent shockwaves through the global economy. As Brent crude climbs and semiconductor supply chains tighten due to military prioritization, …
Read More →Subscribe to Updates
Get notified about new blog posts, AI insights, and digital transformation strategies.
We respect your privacy. Unsubscribe at any time.