
Who/what is brute forcing OVH SSH logins? - Pablo946
I have 3 servers with OVH right now, two game server and one WireGuard server. My friend who also has some servers with OVH mentioned to me yesterday that he saw a lot of strange IP addresses mainly in East Asia attempting to SSH into his server when he looked at the file &#x2F;var&#x2F;log&#x2F;auth.log . Out of curiosity I checked this file on my 3 servers and on all 3 servers the log was full of similar mysterious IP addresses from East Asia trying to login with invalid usernames. I was confused as to why seemingly every server on OVH&#x27;s network receives so much traffic from these hosts. It got me curious, what are all these hosts and why are they attempting to gain access to OVH servers? I contacted OVH support and they said they were already aware that some other entity was attacking their servers like this. After seeing these strange connections I stopped listening for SSH on port 22 and changed it to a non standard port, and I have quite the long SSH password anyway so I&#x27;m not too worried about becoming a victim of one of these attacks, but it does make me wonder. Are they just trying to gain control of some poorly secured OVH server so that they can have control of a server for their nefarious purposes? Why are they specifically targeting servers on the OVH network as opposed to servers with other providers? How many machines are there, brute forcing OVH server SSH passwords 24&#x2F;7? Who is the person&#x2F;people behind this attack? What is the goal? Those of you who also use OVH and&#x2F;or have experienced something similar or know more about the strange hosts in East Asia please do share your experience.
======
Pablo946
Update: The same Chinese IP address has been attempting to brute force one of
my servers for around 8 hours straight despite the fact that it's on a non
standard SSH port, I think I'll just enable pubkey authentication instead

------
detaro
nothing related to OVH, this is just random background noise for everyone
having a server connected to the internet. Configure your systems properly and
don't waste time worrying about it.

~~~
Firerouge
To build upon this, consider setting SSH to use ED25519 certificate based
authentication and disable password logins entirely

~~~
jjjbokma
How to: [http://johnbokma.com/blog/2019/05/27/ssh-public-key-
authenti...](http://johnbokma.com/blog/2019/05/27/ssh-public-key-
authentication.html)

------
dylz
Everyone. AWS is being brutefroced 24/7\. Every single one is.

~~~
Pablo946
I didn't think about that possibility before, but now after checking my Vultr
and DigitalOcean servers auth.log I can confirm they too are bombarded with
attempted SSH logins from Asia

