Sry it's me again with a noob question.
So I'm using a little digitalocean VPS, I managed to set up a LAMP stack, secure the server, reduce the memory footprint and host a site.
I'm fully aware that my server is in fact public and available for anybody on the web, what I mean by 'not public' is that I don't host a public website, I offer any service or promote my server etc.
Now this week I checked my /var/log/secure file and saw that I had multiple break in attempts over ssh, easily 40-50 different IP addresses, my server is up for a week or something like that. Apparently some are using some dictionary list with common user names like admin, the name of Linux distros etc.
What I find really strange is something that -at least to me as a noob- looks like a quite targeted, not so random attack. The same IP tries to break in for days using hundreds of usernames.
I set up fail2ban what didn't stop him from trying his one attempt every 15 minutes or whatever I set as a bantime, according to the fail2ban logfile he already got banned and unbanned multiple times. Excuse me if I get this wrong but that doesn't seem like some random attack of somebody who scans a range of IP addresses. So I just blocked his IP with firewalld.
But my question is: Is it common to have so much different attackers on a little VPS? Why would anybody extensively to break into my server? I don't think it makes the impression of being very vulnerable, I'm running the newest version of CentOS, set up SSH authentication with keys-only, a firewall is configured and running, fail2ban is running, I use strong passwords and mandatory access control(SELinux).
[link][20 comments]