It’s a pretty commonly accepted notion: Put something out on the Internet, and a whole bunch of people are going to take a swing at it. Turn up a new wordpress site? All kinds of spam in the comments, failed logins to the admin portal, and that’s even before you get any actual readers who might want to read what you have to say!
Following some basic precautions will ensure these “attacks” stay merely annoyances, and not full blown problems:
- Install updates as soon as they are available (or as close as possible)
- Use complex passwords – and change the built in ones!
- Enable two factor authentication
- Implement some kind of intrusion detection
In the course of various projects we’ll spin up a bunch of Internet facing servers, and pretty much within minutes we see blind attempts to log into our systems, from IPs that have no business being there. We’ve gotten used to following the pattern of hardening systems before Internet exposure, but rather than just roll our eyes at yet another attempt to log in as root, we thought it would be an interesting study to quantify exactly how much unwanted traffic we see.
What impacts the numbers most?
- Do net blocks assigned to virtual server hosting companies draw more attention than a server stood up on a residential connection?
- Does the presence of a DNS name assigned to the public IP matter?
- Would active blocking of offending IPs deter them , or will they return again later?
Without crossing the line into a honeypot experiment (which is really interesting too, but a topic for another day), we’re working on a study to try to put some data to this and see if these attacks are truly blind or if they are somewhat targeted.
We will configure 4 different servers for access to the Internet:
- Linux server with SSH and a WordPress site – VPS Host – DNS entry with reverse lookup
- Linux server with SSH and a WordPress site – VPS Site – no DNS entry
- Linux Server with SSH and WordPress – Residential Internet Connection – DNS entry with reverse lookup
- Linux Server with SSH and WordPress – Residential Internet Connection – No DNS entry
Depending on the results of this survey we may branch out and test additional configurations.