2 months ago we have installed some servers in countries such as Germany and Singapore in which constantly we are receiving automated SSH bruteforce attacks trying to compromise the root user mainly from countries like China, Argentina, Brasil, Ecuador, Taiwan, Korea and India. After analyzing the traffic, we disabled the root user but hours later we started receiving attacks with different users, then we proceed to block the usage of users like: admin, test, guest, info, oracle, testing, webmaster and user.
Many times, our clients has been suffered this type of attacks and unfortunately some of them had been hacked in the past.
To prevent this type of attacks you can use Fail2Ban and IPSet. We have created a list of IPs wich you can use to prevent any incident in the future. We’ll try to keep it update.
Just for the record. The IPs used for these attacks, are totally different in our servers in Germany and Singapor. The first link contains only the list of IPs for Germany and the second link contains the same IPs but with the “ipset add blacklist” words if you are using BlackLists in your servers.
[Updated] Why we are sharing this list if Fail2Ban has a list of the attackers IP addresses of the last 48 hours and also these lists are generated every 30 minutes (Download it here) but you have to keep in mind:
Fail2ban is not providing the geographic location of each IP address.
Maybe one of these IPs are from your country and a big part of your users may can not access to your servers.
Maybe your office/home/ISP IP address can be listed because one of the machines in your network is compromised and this can make some troubles if you just block all the IPs listed in the file.
If you want to protect your server with Fail2Ban, you can find a very good article about how to install it here.