TLDR
-
A self-hosted server logged ~500 SSH login attempts in 7 days; fail2ban and disabled password auth blocked all of them.
Key Takeaways
-
Top attempted usernames:
sheep (169), ubuntu (30), admin (52), user (20) – each reflecting real attacker heuristics.
-
sheep attempts likely mirror the server’s subdomain, suggesting scripts fingerprint hostnames before attempting logins.
-
Service-specific accounts (
frappe, postgres, odoo, jenkins) targeted – attackers hunt sloppily deployed test stacks with default creds.
-
pi and orangepi attempts confirm IoT/SBC devices are active targets even for low-value payoffs.
-
Mitigations used: disable root login, disable password auth entirely, aggressive fail2ban with a 100+ IP blocklist.
Hacker News Comment Review
-
No substantive HN discussion yet.
Original | Discuss on HN
