I have recently noticed a large number (for us) of failed SSH attempts coming in from Cloudflare IP addresses. Our SSH service requires certificates, so I’m not stressing the approach, except for the frequency of the attempts.
> Dec 1 10:27:35 SSH sshd: Invalid user user from 220.127.116.11 > Dec 1 10:27:35 SSH sshd: input_userauth_request: invalid user user [preauth] > Dec 1 10:27:36 SSH sshd: Received disconnect from 18.104.22.168 port 10480:11: Normal Shutdown, Thank you for playing [preauth] > Dec 1 10:27:36 SSH sshd: Disconnected from 22.214.171.124 port 10480 [preauth]
Our default approach to failed attempts was to ban the IP address which resulted in Cloudflare IP addresses being blocked. This isn’t ideal as we are also a CF customer and expect legitimate traffic.
While we now have work-arounds in place, I’m interested to know if there is any mechanism to report these abuses to Cloudflare?