Every Server Is A Kind Of Honeypot

June 13, 2017

I was going to write something different, but last night I created a DigitalOcean droplet for an experiment, and didn’t finish. So tonight I came back to it and happened to look at the /var/log/auth.log which seemed somewhat large for a newly created droplet.

There were 98 ip addresses that attempted to log into the server. I don’t know if these were purely random or the ip was known as something else formerly. From the logs it was obvious that these were not legitimate attempts.

In any case I ran the collection through the tool at InfoByIp.com and got an interesting mix of domains and countries.

Most of the login attempts seemed to be looking for common default users like admin, support and of course root, combined with attempts at things like postgres and hadoop, and odd ones like jack and jeff and pi. None of them succeeded, generally sshd rejected them for too many failed attempts. The server only responds to my private key so it should be secure and there are no services available either.

Connections came from Argentina, Australia, Brazil, China, Colombia, Ecuador, France, Germany, India, Italy, Japan, Republic of Korea, Latvia, Republic of Moldova, Netherlands, Peru, Romania, Russian Federation, Seychelles, Sweden, Taiwan, Turkey, United Kingdom, United States, and Vietnam with China the most common source.

I am sure for people who routinely monitor servers this is not anything new or exciting but I found it interesting anyway since I rarely do much on the server side being an iOS developer these days.

I wonder what the cost in bandwidth and server time is over the entire planet if every public server is abused in this manner. Clearly the cost to try is minimal and if only a tiny percentage succeeds then there must be enough of a payoff to make it worthwhile. I have known enough people with zero understanding of internet security so there are plenty of targets.