Between 10,000 and 20,000 attempts per day on a couple of my web servers. About 5,000 a day on servers that don't host anything. So, yeah, it's totally normal for a public facing server.

1 members found this post helpful.

Just to add another anecdote to indicate the scale of the annoyance, I just spot checked one and it has over 22k invalid user attacks against SSH during just the last 6 hours.

The place to "play around" with it is your LAN.

Where only you have access to that machine until you understand the Services you have enabled and how exploits of those Services carried out.
(You learn how it's done and try to hack yourself.)

Tech's in charge of reviewing abuse reports used to have a name for people who were fixated on firewall logs and constantly reported false alarms.

Goomers With A Firewall.

I am a bit confused now. Is OPENSSH equal to the ssh in my laptop ? or they are 2 different software ? I can't figure it out. Initially i thought they are the same, after that i thought they are different.. then when i did some browsing.. i think they are the exact samething..

LOL

You must have "gold bars" stored in the vault of your server .lol

Strictly speaking, SSH is the protocol. There are several suites of software which support the SSH protocol: OpenSSH, Teleport, Tectia, Dropbear, etc. In principle they should all be able to connect to each other since they all claim to use the same standard protocol. OpenSSH is the suite used on pretty much any GNU/Linux distro out there today.

However, any of those suites provide both a client and a server because the style of architecture the SSH protocol is built around is "client-server". And loosely speaking, SSH can refer to either the SSH client or the SSH server in informal speech depending on context. The client is the software which provides the interface you or your scripts interact with and which connects you to the server on the remote system. That's what's on your laptop if you are connecting from it. The server provides the software which waits over on the system you connect to and listens for and processes incoming SSH connections. That's what's getting pounded on as bots try to jiggle the doorknob so to speak. It's only going to let in those authorized to get in but that does not stop the bots from trying. As mentioned, turning off password authentication, after setting up keys or certificates, will scare off most of the bots.

1 members found this post helpful.

So, you said any ssh server in theory can communicate with any ssh client..

Hee hee, i think the bots are trying to "jiggle" the door, is because i didn't totally disable password authentication. I have 2 account to ssh server, 1 is using ssh key, the other still using password.. . I was learning the ssh key stuff.. i leave myself a backdoor in case i screwed up the ssh key or something.. .. No yet learn how to use fail2ban....

An you might not need fail2ban (as much as I love it) if you restrict your ssh protocol traffic to your local subnet. They cannot break in using ssh, if they cannot connect to any ssh server.

As a sysadmin, I have used server security, network security, application security, and protocol security. For large and legal issues there is no step to trivial to take (because of what is at stake), but for a home network it seems best to use the most simple and easy solution to eliminate the problem.

Thanks for the advice.
As much as i trying to grasp what you mean, i still can't get it all.
I think you meant put the ssh server in my own local network .. so the bots won't be able to "jiggle the door of " ssh.
I have not reach to that level yet.. i rented a server on digital ocean to try it, so it is public facing , and can't be place behind my local subnet.

Are you only going to access that server from home? If you have a fixed address, you can set it to only allow ssh from your address. If your address is variable (set using DHCP by your ISP) but in a fixes range, you can allow only that range. This restriction can be set in a firewall or using networking stack features (TCP wrapper), or the "Allow Users" setting (in the sshd server conf file) which can restrict by user name and source address or source subnet. Check your man pages or run a quick search. It is not secret information. ;-)

I know this is not the answer you want to hear, but being so clueless (as you yourself admit) means you shouldn't be running a public-facing server at all.

You are endangering the whole internet, not only yourself - if someone manages to break in there, deposit and activate some malware.

If someone manage to break in.. can i still take over the server back ? i mean, can i delete the whole server project from digital ocean web interface ?
should be able right ?
I have to dive into to get some experience start from somewhere.. ..

Yes, but the bigger question is: will you even notice?
I see you're busy reading log files, but you aren't able to separate the harmless entries from the potentially harmful ones.
You simply might not recognize the signs - keep in mind, a succesful hacker doesn't want you to notice. They want to keep on using your computer for as long as possible.

You can do that locally, in your own LAN, or even create one with a virtual machine that you log into from your bare metal install.