Brute force attack from a /24

Perusing through some of my logwatches, I noticed a very large amount of failed login attempts. What made these stand out, was that none of the ip addresses got automatically blocked by my fail2ban filters:

...
       root (221.176.33.112): 2 Time(s)
       root (221.176.33.135): 2 Time(s)
       root (221.176.33.148): 2 Time(s)
       root (221.176.33.154): 2 Time(s)
...

Turns out that this/these systems used a very large amount of source ip addresses, to circumvent any fail2ban or sshguard systems in place. Nothing too advanced, but it goes to show that even though the attack is pretty dumb, given enough resources, it can still become quite effective and difficult to defend against.
If you have a /24 to use, and are willing to do two tries per source ip, you can get 500 tries without breaking a sweat.
Combine that with some finetuning based on default settings for popular defense mechanisms like fail2ban, and you've got yourself a pretty efficient brute forcer.

So how do you protect against this stuff?

  • Don't run ssh on the default port (pretty lame)
  • Use portknocking (too much work)
  • Only allow passwordless logins, using ssh keys
  • Don't allow ssh access from the entire internet (Block China!)

Or just some good old paranoia and a manual firewall filter. :-)