There has been a report that certain devices (IoT, modems, BMCs, routers, switches, remote management) that use proprietary implementation of SSH instead of OpenSSH are vulnerable to private key exposure/compromise.
That‘s normal. There are countless bot nets that scan every public available IP to hijack. Using fail2ban is already a good approach. I personally switched to crowdsec a while ago as it comes with a crowdsourced blacklist which will silence a lot of the common noise and only occasionally I get an Alarm about an IP address not already on the default list.
Bots will find it pretty quickly. Remember the first thing that happens when you connect to an SSH server is get a message saying “Hi, I’m an SSH server! How are you today?”.
This happens literally all the time for me both personally and professionally. I see mostly low effort attempts across various ports or things like sweeps of common username/password attempts on ssh or common management endpoints on http.
This is why it's important to keep all publicly accessible servers and services updated and follow standard security guidelines. Things like only using public key auth for ssh for instance.
At work we get hit occasionally in large bursts and have to ban ips for a bit to get them to go away.
As long as you're running fail2ban there's no harm in it. Without exception you should disable root login, and ideally you should disable password login and just use keys.
It's fine, but it's a good idea to disable password authentication and only permit public key auth. Using a non-standard port helps reduce the spam in the logs a bit.
I’ve been constantly under attack from about ten times this for around 10 years.
They brute force common words and try various names as logins. It’s very primitive.
It waxes and wanes in frequency but averages to three or four per minute.
I have ssh on port 2222 (which btw they also figure out pretty quickly, I would recommend a less obvious alternative port) and fail2ban catches them after a couple tries, but without fail new ips spin up and resume.
It’s futile. I don’t have password auth on. They’ll never get in.
It’s just like people walking down the street coming up to your door to see if it’s unlocked. Or trying car doors for the same. They can try all they want, they’re not getting in.
Moral of the story: yeah it feels scary, but it’s really not. Make sure you have password auth and root login turned off, and fail2ban is a good call. Otherwise ignore it, it’s just something that will always happen on the internet.