BORED? - WATCH THE BOTS ATTACK YOUR SYSTEMS
So ... every once in a while I open terminal windows and watch the logs scroll by. A useful command to know is "tail -F <logFileName>" or "sudo tail -F <logFileName>"and watch the entries in the log scroll by ... (CTRL-C exits the "tail" command.)
-> The live logs are more interesting if your Linux computer is connected directly to the internet. You should not normally see attacks on your desktop computer if it is behind a typical home router.
Home Router:
See if your router offers a logging capability you can monitor. Bots are constantly pounding against our home internet connections. Sometimes I watch them from our firewall/router. At home, we average 10-20 attacks per minute - just bots hammering against random ports, all dropped by the firewall. It is fun to watch - give it a try.
-> Shock your family and friends when you show them how many attacks are going against their home internet connections. Show them the live action, of course.
(By the way, how old is your router? When was the last time you updated its firmware? For that matter, when was the last time that the manufacturer released an update for it?)
Watch the Firewall Reject Bots Attacking Your Server:
I have two VPSs running Debian 10 and 11 respectively, and they are exposed directly to the internet. I changed the SSH port on them, so it is more fun to watch the random bots hammering against the firewall. Random IP addresses on the internet do various TCP/IP things with random source ports and destination ports. Certain "well-known" ports get more attention, including ports 20-25, 53, 80, 443, email ports, and the popular variations on regular ports like 8080, 4443, etc.
Watch Attackers Try to Connect to Your SSH Server:
I have Oracle Linux and Ubuntu Linux instances running in Oracle Cloud Free Tier. By default, they are configured with SSH on port 22, but password authentication is disabled. I provided my own public key for authentication. I can watch the failed SSH login attempts on those servers, since I did not change from port 22 to another port. The fun part of watching failed login attempts is collecting the usernames that they try. There are the usual "root", "admin", "test", "oracle", "ubuntu", etc., but recently there are also many fun names like "kitty", "nurul", "visitante", ... and plenty more. I would say that they average one or two attempts per minute.
INTERESTING OBSERVATION:
Many bots are trying to login to Oracle Cloud instances using SSH public key authentication. I wonder why. What makes them believe that they will get lucky with a matching private key. I suspect that they are trying to exploit an unpatched SSH flaw in the server.
Log files vary in their names and locations because different distros are ... different. In addition, there are special log file viewing commands that let you view and filter log files. I don't know them. I just use "tail". (It seems like a good opportunity for another tutorial from @KGIII.) Anyway, here are a few log files that you can look for:
Viewing System Logs, including the Firewall, in Debian:
So ... every once in a while I open terminal windows and watch the logs scroll by. A useful command to know is "tail -F <logFileName>" or "sudo tail -F <logFileName>"and watch the entries in the log scroll by ... (CTRL-C exits the "tail" command.)
-> The live logs are more interesting if your Linux computer is connected directly to the internet. You should not normally see attacks on your desktop computer if it is behind a typical home router.
Home Router:
See if your router offers a logging capability you can monitor. Bots are constantly pounding against our home internet connections. Sometimes I watch them from our firewall/router. At home, we average 10-20 attacks per minute - just bots hammering against random ports, all dropped by the firewall. It is fun to watch - give it a try.
-> Shock your family and friends when you show them how many attacks are going against their home internet connections. Show them the live action, of course.
(By the way, how old is your router? When was the last time you updated its firmware? For that matter, when was the last time that the manufacturer released an update for it?)
Watch the Firewall Reject Bots Attacking Your Server:
I have two VPSs running Debian 10 and 11 respectively, and they are exposed directly to the internet. I changed the SSH port on them, so it is more fun to watch the random bots hammering against the firewall. Random IP addresses on the internet do various TCP/IP things with random source ports and destination ports. Certain "well-known" ports get more attention, including ports 20-25, 53, 80, 443, email ports, and the popular variations on regular ports like 8080, 4443, etc.
Watch Attackers Try to Connect to Your SSH Server:
I have Oracle Linux and Ubuntu Linux instances running in Oracle Cloud Free Tier. By default, they are configured with SSH on port 22, but password authentication is disabled. I provided my own public key for authentication. I can watch the failed SSH login attempts on those servers, since I did not change from port 22 to another port. The fun part of watching failed login attempts is collecting the usernames that they try. There are the usual "root", "admin", "test", "oracle", "ubuntu", etc., but recently there are also many fun names like "kitty", "nurul", "visitante", ... and plenty more. I would say that they average one or two attempts per minute.
INTERESTING OBSERVATION:
Many bots are trying to login to Oracle Cloud instances using SSH public key authentication. I wonder why. What makes them believe that they will get lucky with a matching private key. I suspect that they are trying to exploit an unpatched SSH flaw in the server.
Log files vary in their names and locations because different distros are ... different. In addition, there are special log file viewing commands that let you view and filter log files. I don't know them. I just use "tail". (It seems like a good opportunity for another tutorial from @KGIII.) Anyway, here are a few log files that you can look for:
Viewing System Logs, including the Firewall, in Debian:
- sudo tail -F /var/log/syslog
- Ubuntu 22.04: sudo tail -F /var/log/auth.log
- Oracle Linux (RedHat derivative): sudo tail -F /var/log/secure
- Another interesting log showing SSH attempts in Oracle Linux: sudo tail -F /var/log/audit/audit.log
