One of the most scary things about running a home-server are cyber attacks. According to Jeff Melnick, another blogger from (netwrix blog) he defines cyber attacks as: “A cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter or destroy data or information systems.”
Exposing a server or any type of device to the Internet is subject to disgruntled individuals or rouge organizations that have only one interest in mind. That interest is to get “illegal access” to your device (in this case your home-server). On a daily basis my server is getting somewhere around a thousand plus attacks. Attacks like “Authentication failure for root via sshd from 184.108.40.206,” “Failed login attempt for invalid user fake from 220.127.116.11 (ssh2)” etc. This means that one has to be on our toes when it comes to our home-server security. Unfortunately, in my case, most of the attacks originate from hackers of Chinese origin. There are few from India and Vietnam. However, I’m sure that my listing have attacks from from other various world locations.
I recommend several things that one must do in order to stay on top of these cyber attacks. To stay on top of cyber attacks, ensure that you have downloaded and installed the latest attack detector, intrusion detection system, and intrusion prevention system. Those software packages will help a lot with the systems security. For e-mail use Anti-malware software package. These software packages in some cases and depending on the operating system you are using are open-source. Some software packages have an IP blocking feature. In my case the security software packages are part of a download and install system provided by ClearOS.
Additionally, routinely change your password, use passwords that are a bit difficult to figure-out. Routinely check and download the latest security patches. Routinely, update the server OS to the latest stable version. The point is that running a home-server does require some extra work.
There are many ways to track and seek out information of your attackers. You can directly google “whois” the IP and you’ll get a lot information from various legit sources. There are thousands of Internet sources with a lot of good information about types of attacks and types of counter measures you can take. I suggest you do some reading about the types of attacks and preventative measures. One of my favorite sites to track malicious IP’s is “Black Hat Directory.” However, most of the times I prefer a direct google search using the term “whois followed by the IP address.” You’ll be surprise how much information is uncovered.
The list is of attackers and IP’s is indeed large. However, below is a list of the most frequent attackers to my server, their IP’s and some identifying information with locations. Note that the acronyms ISP is followed by a either a company or domain. The ISP may not be necessarily involved in the attacks, it’s either the individual(s) or organization(s) that hide behind the Internet Service Providers (ISP). The IP shown may not be the attackers own IP as they can be spoofing their IP’s. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.
List of most frequent visitors:
18.104.22.168, ISP, ChinaNet Jiangsu Province Network Zhenjiang, Jiangsu
22.214.171.124, AS4837 CHINA UNICOM China169 Backbone
126.96.36.199, ISP, ChinaNet Jiangsu Province Network
188.8.131.52, ISP, DigitalOcean LLC, Bangalore, Karnataka, India
184.108.40.206, ISP, V6Yun (Beijing) Network Co. Ltd , v6yun.com, China
220.127.116.11, ISP, ChinaNet Jiangsu Province chinatelecom.com.cn Network, China
18.104.22.168, ChinaNet Jiangsu Province Network, chinatelecom.com.cn, Zhenjiang, Jiangsu, China
22.214.171.124, ISP, Hypernet Vietnam Technology Company Limited, Hanoi, Ha Noi , Vietnam
The latest attack (Oct 5) comes from Russia, Authentication failure for root via sshd from sib-ecometall.ru
As I previously mentioned the list of attacking IP’s is large, I cannot sit here all day write IP after IP. The one’s mentioned above are the most frequent attackers to my server. There are ways to extract information out of Linux OS into text files that I could use to write-up a comprehensive listing, but that would be something to do another day.