Cloud Instance + No Services != No Worries — Secure your servers

Spun up a new server on Linode last night. Didn’t do anything with it except power it up, no webserver or external services. Shouldn’t be surprised about this, but in the course of less than 12 hours, this new server instance had 9,445 failed root login attempts. All by IP – this server has no associated forward or reverse DNS entries published.

sshd:
    Authentication Failures:
       root (115.231.222.45): 3739 Time(s) - China
       root (103.41.124.50): 2698 Time(s) - China
       root (103.41.124.47): 494 Time(s) - China
       root (103.41.124.12): 474 Time(s) - China
       root (103.41.124.66): 453 Time(s) - China
       root (103.41.124.64): 435 Time(s) - China
       root (103.41.124.58): 426 Time(s) - China
       root (103.41.124.55): 423 Time(s) - China
       root (115.239.228.9): 90 Time(s) - China
       root (115.231.223.170): 89 Time(s) - China
       root (115.239.228.6): 50 Time(s) - China
       root (61.174.49.103): 27 Time(s) - China
       root (178.162.212.20): 13 Time(s) - Germany
       root (124.95.128.253): 12 Time(s) - China
       unknown (124.95.128.253): 11 Time(s) - China
       unknown (178.162.212.20): 9 Time(s) - Germany
       unknown (213.136.68.234): 2 Time(s) - Germany

Big props to China for weighing in at #1 with 9,421 failed login attempts. Germany needs to step their game up, only 24 times?

It’s game over now, thanks to tcpwrappers, fail2ban and CSF. Just a friendly reminder to secure your servers. Had there been production data and a weak password on this instance, things would have been bad. Throw in a database, and who knows.

Since the IP address space can be easily queried for on-demand providers like Linode, Amazon, LiquidWeb, etc, it’s very probable that there are constant scans being run there; hoping to find a weak password or vulnerability to exploit.

Thinking of spinning up another instance as a honeypot to run for a while, might have some interesting results.

Leave a reply below!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s