Tech Server security. ALERT - GoFuckYourself.com

VRPdommy · 09-10-2020, 07:08 PM

I run 6 virtual servers + 1 I use for a 'honey pot' in testing/recording security for use in the others. They are not in the same racks or cities or cloud company's. But all have increased hack attempts.

Lately the amount of hack traffic is very high. Now, my security is tight and systems have been configured non-standard for many years. I would suggest most of you do that, but, since I look at my log files often, twice a day, I see the type of attempts that are being perpetrated which sometimes takes a while to figure out the intent. And I may not always have that correct, and because I find methods to stop the attempts, I will never really know. So, I don't mind not knowing for sure.

But to give you a idea of how heavy this attempted hack traffic is...
My log files exploded on one server and ran out of disk space (using up just under 300MB free space in 2 days/36 hours) It is deliberate for me to keep a small amount of space on my servers as there is not growing input except for logs. But that was not that small.

You might also note that I have 1/3 of all WW IP's permanently blocked. Many of you may not be able to do that I understand as it might cut your customer base. But this coming despite my large blocks.

The hacks seem to have a unlimited supply of 'compromised IP's' from hosting company's (hope you are not one of them) so, I am not seeing the same ip in the same day. Normally that would stop things like LFD from even issuing a temporary block automatically.

These are large scale coordinated attacks. One hacker working through hundreds of compromised systems to multiple targets, all day and night via a scripted hack.
The main targets seem to be sql db injections and wordpress hacks. But I would guess any open port if you have them.

So, I present you with the idea that any of you managing your own servers need to spend a little more time in your logs and more often. If you can chart your cpu/net/disk activity, it can lead you to unusual events if you look for them. But these are slower and very persistent. About 3-6 per hack type per minute. About 20 per min overall. They seem to try not to alert admin by soaking up cpu cycles. So, it's a gradual increase that I suppose will increase even more if no action is taken.

Just a heads up for those who mange their own.
If you have managed hosting, let's hope your operators are on top of things.

09-10-2020, 07:08 PM	#1
VRPdommy Confirmed User Industry Role: Join Date: Oct 2014 Posts: 8,871	Server security. ALERT I run 6 virtual servers + 1 I use for a 'honey pot' in testing/recording security for use in the others. They are not in the same racks or cities or cloud company's. But all have increased hack attempts. Lately the amount of hack traffic is very high. Now, my security is tight and systems have been configured non-standard for many years. I would suggest most of you do that, but, since I look at my log files often, twice a day, I see the type of attempts that are being perpetrated which sometimes takes a while to figure out the intent. And I may not always have that correct, and because I find methods to stop the attempts, I will never really know. So, I don't mind not knowing for sure. But to give you a idea of how heavy this attempted hack traffic is... My log files exploded on one server and ran out of disk space (using up just under 300MB free space in 2 days/36 hours) It is deliberate for me to keep a small amount of space on my servers as there is not growing input except for logs. But that was not that small. You might also note that I have 1/3 of all WW IP's permanently blocked. Many of you may not be able to do that I understand as it might cut your customer base. But this coming despite my large blocks. The hacks seem to have a unlimited supply of 'compromised IP's' from hosting company's (hope you are not one of them) so, I am not seeing the same ip in the same day. Normally that would stop things like LFD from even issuing a temporary block automatically. These are large scale coordinated attacks. One hacker working through hundreds of compromised systems to multiple targets, all day and night via a scripted hack. The main targets seem to be sql db injections and wordpress hacks. But I would guess any open port if you have them. So, I present you with the idea that any of you managing your own servers need to spend a little more time in your logs and more often. If you can chart your cpu/net/disk activity, it can lead you to unusual events if you look for them. But these are slower and very persistent. About 3-6 per hack type per minute. About 20 per min overall. They seem to try not to alert admin by soaking up cpu cycles. So, it's a gradual increase that I suppose will increase even more if no action is taken. Just a heads up for those who mange their own. If you have managed hosting, let's hope your operators are on top of things.