I think that providing API to be used by standalone clients is far more better approach

I would recommend to use borgbackup - it is very convenient for security (it provides very flexible encryption options with safe defaults) and efficiency (deduplication)

I can't remember any recent good news about 0click mitigation

Nobody reports this stuff, but exploit kits like blackhole have completely disappeared. (Sure, maybe technically not “0click” even if delivered via an ad on nytimes.com)

The situation has dramatically improved during the past 30 years, but so has reporting. It’s the improved reporting that makes it sound like as if the world is on fire.

I use KeePassDX on Android and KeePassXC on a laptop, and they are synced with Syncthing. I have no issues with this setup

That is not selfhosting. Selfhosting means web/cloud applications maintained by the users. Technically Syncthing is selfhosting but Keepass variants are not. So your setup is not really selfhosting because you are not hosting Keepass in the webserver.

This might be a way better solution in terms of performance, but I cannot imagine way to run more complicated stuff rather only blocking IP in the firewall using iptables

This ratio is only applied if there are more than 1000 SYNs, forgot to mention that in the README (https://git.encryp.ch/g00g1/no-portscan/src/branch/master/cm...)

Ah, of course. Guess I should have checked first :)

How did you discover this? Anyway thanks for additional information

Enabling Warp via the "1.1.1.1" Android app gets me an 8.x.x.x VPN address, at least. This /24 appears to be routed to my city's Cloudflare node, so presumably there's a /24 per city they run this service in.

Running a quick port scan from my phone against one of my machines works, so it doesn't look like they are restricting this too heavily.

And I'm not logged into this app and haven't granted it additional permissions, so I'm not sure they have any idea who I am here.

via support ticket with cloudflare. They didn't explicitly confirm it, but my experience is that they would have corrected me if that was wrong :)

jimsi, employees are also extremely active on Twitter. It’s not the most scalable but that’s usually my goto for eyebrow raising Cf related questions.

I have asked Cloudflare about this traffic, but support says "Cloudflare helps protect sites, and accelerate them. We do not attack sites, and our network can't be used to generate attack traffic." They deny any malicious outgoing traffic, but after I have provided pcap dump they just ignoring me and do not reply anything. Very odd behaviour for researchers.

Cloudflare likes to use the "We're just a proxy" defense when it suits them, but with the rapid release of other products they are very capable of generating arbitrary traffic and hosting content without an origin.

I think single SYN packet would be enough to know whether this port open or not, but they trying to gather full banner.

Probably yes, but hey! Why do Cloudflare Worker would need SSH connection establishment? I do not asking Cloudflare to block 22/tcp entirely, but all this situation is very odd - I am seeing anomaly, reported abuse to them, but no explanation why this is happening.

About password authentication I totally agreeing with you, but this is a bit out of scope of this thread.

The only purpose of this article is to know the truth what is really happening. I have never seen such many connections to the SSH even from researchers.

I think you need to spend more time looking at logs and network traffic in general, this is standard. I bet your public home IP will be scanned at least a couple times just today.

Judging my my home network, they can probably expect an SSH connection attempt on a home IP about every 5 seconds or so, or 18,000 times a day.

For some reason, this is 6× more than a server I have on an university network.