<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Sorry to hear that your system got (possibly?) hacked. Yeah, fail2ban is an amazing tool. If I absolutely must have ssh open to the outside, I usually move ssh to a different port (yeah, you could still find it easily with a port scan), and I configure fail2ban. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>/Raj<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;color:black'>From: </span></b><span style='font-family:"Calibri",sans-serif;color:black'>Ale <ale-bounces@ale.org> on behalf of lollipopman691 via Ale <ale@ale.org><br><b>Reply-To: </b>Atlanta Linux Enthusiasts <ale@ale.org><br><b>Date: </b>Thursday, August 14, 2025 at 11:24 AM<br><b>To: </b>Atlanta Linux Enthusiasts <ale@ale.org><br><b>Cc: </b>lollipopman691 <lollipopman691@pm.me><br><b>Subject: </b>[ale] Ouch goddamnit<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>More assholes from China bringing my site down. When I rebooted, I couldn't help but notice that my uptime(1) stats were spiking into the double-digit range and the system was becoming unresponsive.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I wrote a quick and simple script to figure out who these guys are so I can block them at the AWS firewall. If anyone else can use it, here ( <a href="https://tomshiro.org/foswiki/ALE/BadActorScript">https://tomshiro.org/foswiki/ALE/BadActorScript</a> ) 'tis.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Looks like if I am _really_ clever I might-could figure out a way to let fail2ban(1) handle this automagically. A project for another day.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>-- CHS<o:p></o:p></p></div><div><p class=MsoNormal>_______________________________________________<o:p></o:p></p></div><div><p class=MsoNormal>Ale mailing list<o:p></o:p></p></div><div><p class=MsoNormal><a href="mailto:Ale@ale.org">Ale@ale.org</a><o:p></o:p></p></div><div><p class=MsoNormal><a href="https://mail.ale.org/mailman/listinfo/ale">https://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></p></div><div><p class=MsoNormal>See JOBS, ANNOUNCE and SCHOOLS lists at<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>