To much ssh-bf alerts?! | CrowdSec | Page 1

humble bloom Feb 8, 2025, 10:27 AM

#

Hey 👋

Ubuntu server. Changed ssh port, access only via public key. Still got every minute ssh-bf alerts.
On the alerts page right side on "target" it shows my ipv6 address. Should there not be my ipv4 address?
I dont need ipv6. Can i just disable it completely?

I have no ipv6 ports forwarded in ufw.
My sshd.config changes are:
Port ****
AddressFamily inet
PubkeyAuthentication yes
PasswordAuthentication no

Is it normal that there are still so much attempts to login?

boreal pulsarBOT Feb 8, 2025, 10:27 AM

#

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

random kiln Feb 8, 2025, 10:31 AM

#

humble bloom Hey 👋 Ubuntu server. Changed ssh port, access only via public key. Still got ...

If it shows ipv6 of your machine that means your outgoing connection to CAPI is using ipv6. Can you DM me what you believe to be the "right side" of target as for me all I see is alert context which for ssh shows usernames they tried.

#

example

humble bloom Feb 8, 2025, 10:37 AM

#

yes i meant by right side the target row with my ipv6 as target

#

My problem is that “in my opinion” there are still so many tenders although I actually wanted to prevent this with my settings.
I know that they cant login without my pubkey and phrase, but can i somehow do something that i get less alerts?

random kiln Feb 8, 2025, 10:43 AM

#

humble bloom yes i meant by right side the target row with my ipv6 as target

hmm mind dming what you see as the target_user should be only the username

random kiln Feb 8, 2025, 10:43 AM

#

humble bloom My problem is that “in my opinion” there are still so many tenders although I ac...

Do you have the firewall remediation installed?

humble bloom Feb 8, 2025, 9:30 PM

#

Hey, all fine now. THX you again. I have an other related question. What do i see here?
My firewall bouncer has made decisions from those lists?! But i cant see in detail how much individual ip's are was processed?

random kiln Feb 8, 2025, 9:33 PM

#

humble bloom Hey, all fine now. THX you again. I have an other related question. What do i se...

We dont provide indivual metrics based on per ip basis, we provide how many bytes and packets were dropped per list including local decisions if any.

humble bloom Feb 8, 2025, 9:33 PM

#

Alright, thx

#

Can you estimate how many bytes ore how much packets are, lets say 100 tries to scan, attack the server?

#To much ssh-bf alerts?!