I am still receiving ssh-bruteforce on my VPS

Question

I have a server in Oracle Cloud Infrastructure Ashburn. I am using Tailscale to SSH my servers and closed Port 22 in public.

I closed Port 22 on the VCN and left Port 22 open on the server. But no one will access it 'cause I am the only one that can access it via Tailscale.

ubuntu@instance-20220422-2359:~$ sudo firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="36.110.228.254" reject
        rule family="ipv4" source address="114.241.52.59" reject
ubuntu@instance-20220422-2359:~$

Today, I received a report from CrowdSec that my server was experiencing ssh-brute force from China IP addresses.

How did it happen? I am using a VPN to access those servers and yet they manage to brute force a closed Port?

Answer 1

I don't think your configuration is working as you think it should. It is always strongly advised to test your setup from a non-whitelisted IP address.

Your output says:

services: dhcpv6-client ssh

That implies SSH service is effectively exposed, and port 22/TCP is allowed on the public zone, that is for everyone. This is in addition to your port rules or rich rules. But you don't want that.

My suggestion is to remove the SSH service from the public zone, and instead you can add a few whitelisted IP addresses (your VPN) to the trusted zone. This will make the SSH service available but also other running services if present.

Reference: Open a Port or Service