0

Recently, I have been reading a lot of my ubuntu log files (in /var/log/auth.log), and I can see that some IP addresses are actually trying to 'brute-force' their ways into my VM using SSH by testing a lot of very simple combinations (like root usernames, or very common apps usernames such as php or mysql).

Just curious, how do these attackers find about my particular IP? Are they performing this attack on a lot of different machines at the same time or is it just me?

devconnected
  • 3
  • 2
  • 1
    They didn't find *your* IP, they found *an* IP, and it was yours. It's like someone calling a random number and getting *your* number. – ThoriumBR Jan 21 '19 at 20:10
  • it's the modern equivalent to a vagrant that goes around the parking lot trying each door handle to find unlocked cars to pilfer. – dandavis Jan 22 '19 at 17:51

1 Answers1

1

There are just about 4,294,967,296 available IPv4 addresses on the Internet. That's not that much and with some Bots they attack the whole IPv4 address space randomly (Incrementing the IP or just try and error). In some cases they find a machine which is bad configured or outdated which makes them attackable with well known exploits also known as CVE's. If an attack is successful they can do whatever they want with the machine like integrating them into a botnet or other bad things and move on to the next address. With IPv4 that's easy but not with IPv6. If you want to minimize your attacking surface try to switch to version 6. It's harder to find some machines with so much more addresses available. I got also much attacks every day on my router. That's why it's so important to update your network gateway or other machines.

Cyberduck
  • 628
  • 4
  • 17