I used fail2ban on my work machines and on a home server I had available on the internet so I could access it from work.
At one point I had blocked addresses or subnets comprising 72% of China, 22% of Africa, half of South America, half of Russia, 10% of North America (mostly USA domains), and a scattering of sites on various islands.

I built scripts to grab data from the logs and generate nice pictures and a daily report.
It never failed me. Not once.

I even moved my home SSH all to non-standard ports and put a immutable honeypot on port 22 so I would know ALL traffic hitting that port could add IP addresses to my block list for the entire network. Lots of fun, but I doubt it made anything more secure. I hope I drove some of the worms crazy! ;-)

Surely a better way to do that would be with OpenPVN or WireGuard using UDP on a high numbered port?

Oh absolutely! But I was a network administrator following the corporate rules about the corporate network. Breaking those rules would be a great way to get fired! As it was they were giving me the side eye for running Linux on my Corp laptop and creating web pages and documents in LibreOffice!

I also helped one of the C#/.NET developers package and distribute our client software using FOSS tools. That impressed the customers and made life far easier for them, but I am not sure management ever did figure out what we did to make the magic happen.

I run sshd on a non-standard port. I only get a bot every few months. It'll make a few attempts before getting temporarily banned, usually giving up afterwards. I've only had one bot that was persistent for about 2 weeks.

This is interesting. You make me suppose that anything we do on the internet attracts bots. What software can I use to see if bots are after me?

Going to request the mods to make a new thread of that.

When I ran the honeypot operation I started getting hits about 20-30 minutes after bringing it up on a new IP address. Some others reported less than 5 minutes before getting a hit. I think it depends upon your ISP, subnet, and how many "good targets" appear (to the attackers) to exist on your network vicinity.

I would say that if you can run while giving your existence away as little as possible is an advantage. Blocking (a firewall at the gate) is an advantage. Running as secure as you can with process and authority segregation is an advantage. Running something "bulletproof" (like immutable) is an advantage. Using all of those at once may be being bloody-minded paranoid! Pick the level of risk you can accept and have some fun. If you let the worms ruin your fun it does not matter if it is ruined because you so focused on the threat that you forgot to play, or if they zombified your machine and you had no backups: your day is still ruined! Prepare, take reasonable precautions, and don't go all DEFCON-I about it.

Or, if you are like me, go hunting and set traps and enjoy tracking and blocking the worms and ruining THEIR day. ;-)

-------------
How can you tell? #1 Things like fail2ban log hits, and that gives you some data. #2 If you bock echo at the gateway device (modem, router, or firewall) and record dropped echo hits it can be instructive, but you have to filter that data since many ISPs ping-poll their subnets to detect active clients: those may be bots but not (we hope) attack bots. #3 IF you run something at the gateway with Intrusion Detection features it may do all of that and more, and generate nice logs or reports (possibly wiht pretty pictures!) for you to enjoy.

1 members found this post helpful.

You only have to worry about this if your machine is running any Internet-facing services. If it's a desktop machine connected to a router, you have nothing to worry about... bots aren't coming after your web browser. Just keep your distro updated.

2 members found this post helpful.

Thanks, that particularly answers my question: because "desktop machine connected to a router" describes me exactly.

In my 23 + years of using the Unix-Workalike operating systems including GNU/Linux and practically every flavor of modern BSD. As a measure of security, I try to either use sudo on the Linux side or do as on the BSD side of things, although I migrated to sudo on the BSDs as well because I feel more at home with the syntax of the sudoers file.