ssh root attacks

Just discovered my auth.log is spammed with folks trying to log in as root. Some 75% of the requests are coming from 103.41.124.0/24, which is about 20ms away from San Francisco and I’m guessing near Palo Alto. The whois record says it’s a firm in Hong Kong with the email address safestbusiness@gmail.com. Uh huh.

I tried installing fail2ban on Ubuntu 14.04 but it didn’t seem to work. The ugly thing works by scanning log files with scary Perl regexps, no way am I going to try to debug that. The whole premise of it makes me nervous too, I’d rather just ensure my services are secure. That’s adequate as long as you’re not worried about DOS-levels of traffic.