I didn't know you were supposed to disable root user...

Endlessh and fail2ban are great to setup a ssh honeypot. There even is a Prometheus exporter version for some nice stats

Just expose endlessh on your public port 22 and if needed, configure your actual ssh on a different port. But generally: avoid exposing ssh if you don't actually need it or at least disable root login and disable password authentication completely.

https://github.com/skeeto/endlessh https://github.com/shizunge/endlessh-go https://github.com/itskenny0/fail2ban-endlessh

If it is your single purpose to create a blocklist of suspect IP addresses, I guess this could be a honeypot strategy.

If it's to secure your own servers, you're only playing whack-a-mole using this method. For every IP you block, ten more will pop up.

Instead of blacklisting, it's better to whitelist the IP addresses or ranges that have a legitimate reason to connect to your server, or alternatively use someting like geoip firewall rules to limit the scope of your exposure.

I disabled ssh on IPv4 and that reduced hacking attempts by 99%.

It's on IPv6 port 22 with a DNS pointing to it. I can log into it remotely by hostname. Easy.

Since I've switched to using SSH keys for all auth Ive had no problems I'm aware of. Plus I don't need to remember a bunch of passwords.

But then I've had no training in this area. What do I know