The joys of maintaining your own server
First of all, happy holidays to all! I hope you are well rested.
Choosing to maintain our own servers in a time where everything is cloud based was a decision based on trying to obtain more control, and since deploying Mockadillo we have learned a lot. Surprisingly for us, the biggest lesson definitely is how much the world is looking for security flaws in your setup. And when we say the world, we mean the world.
Analyzing ssh logs from our servers is always a joyous occasion, looking at IP addresses from all over the globe trying to break in, we asked ourselves a question: what would happen if we were to take a deeper look at our logs to see what’s happening, without basic security in place.
Keeping safe
Generally speaking we try to always at least do the ABCs of server security maintenance —
- Disable ssh root login;
- Change the ssh port to something arbitrary;
- Install fail2ban;
In our experience these seem like a solid foundation to handle 99% of potential attacks and cost nothing in terms of effort.
Becoming vulnerable
For the purpose of this article we’ve left our server out in the cold for some time (we’ve added some other security measures to stop intruders in case somebody actually gets through) and just gathered information.
We’ve encountered so many attempts of attackers trying to ssh into our servers with some very creative usernames, that we’ve decided to share some stats, so that everyone can see just how interesting these logs can get (and to bring to light just how careful you should be when running your own server).
We are all aware that there are a lot of different people doing this, some are doing it out of boredom, some people want to learn, and then there are people with malicious intent, probably trying to use your server to mine some l33tcoin. There is also software that makes it easy for the average Joe to try to penetrate servers by trying out frequently used credentials like test or admin etc… So those will make their appearance quite often when looking into logs.
Results
During the month of December we’ve had around 7000 attempts of gaining access to the system. Unfortunately, due to the sheer number of attempts we have lost some logs but most of the data is there, and here we will present some results for the time period of Dec 9th 2019, until Dec 25th 2019.
In total, there have been 4834 attempts to ssh into our server. Among them were a lot of duplicate usernames but there is still an impressive number of unique ones, 1182 to be exact. In the top 30 results are usernames such as jenkins, tomcat, mysql and minecraft.
Among the most used, obvious ones are also some niche ones like sarah143 and Annalyn32 which were used 3 times, sorry hackers, no Sarahs here.
Location
We didn’t want to go into the process of reporting of these IPs as they’re probably rented machines, but just for fun, here is the geolocation for the top 10 attackers.
For whatever reason (probably since our server is in Europe) we were targeted mostly from European addresses.
Conclusion
This was a fun, small experiment that presents how much you should address security when managing your own server. The days of waiting for people to start hating you before attacking you are long gone, and the days of always having to think about security have arrived.
Having basic protection is simple, and there are no excuses for exposed servers. Stay safe out there.
