Am I being targeted?

I know I know, this looks like a very clickbait-y title but ear me out:
(it is not anymore, don’t want to pursue any kind of stereotype)

I’ve set up a container lately that’s open to the internet. Is secured and it’s reachable to a different port from the default the service uses. But I’ve seen in the container logs appearing these connections:

<W>2021-03-11 13:08:38.725 1 => <6:(-1)> New connection: 92.63.197.18:58910

<W>2021-03-11 13:08:38.737 1 => <6:(-1)> Connection closed: Error   during SSL handshake: error:1408F10B:SSL   routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 13:08:38.833 1 => <7:(-1)> New connection: 
92.63.197.18:34938

<W>2021-03-11 13:08:38.846 1 => <7:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 13:47:34.826 1 => <8:(-1)> New connection: 
92.63.197.12:58166

<W>2021-03-11 13:47:34.846 1 => <8:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 13:47:34.941 1 => <9:(-1)> New connection: 
92.63.197.12:44180

<W>2021-03-11 13:47:34.961 1 => <9:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 14:37:34.546 1 => <10:(-1)> New connection: 
92.63.197.16:41824

<W>2021-03-11 14:37:34.558 1 => <10:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 14:37:34.654 1 => <11:(-1)> New connection: 
92.63.197.16:42908

<W>2021-03-11 14:37:34.668 1 => <11:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 15:17:31.319 1 => <12:(-1)> New connection: 
185.156.73.31:59664

<W>2021-03-11 15:17:31.332 1 => <12:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 15:17:31.427 1 => <13:(-1)> New connection: 
185.156.73.31:60924

<W>2021-03-11 15:17:31.443 1 => <13:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 15:44:45.393 1 => <14:(-1)> New connection: 
92.63.197.9:48518

<W>2021-03-11 15:44:45.414 1 => <14:(-1)> Connection closed: Error 
during SSL handshake: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number [13]

<W>2021-03-11 15:44:45.506 1 => <15:(-1)> New connection: 
92.63.197.9:49666

<W>2021-03-11 15:44:45.518 1 => <15:(-1)> Connection closed: Error during SSL handshake: error:1408F10B:SSL routines:ssl3_get_record:wrong version number [13]

<W>2021-03-12 02:28:14.212 1 => <16:(-1)> New connection: 45.93.201.126:63058

<W>2021-03-12 02:28:14.227 1 => <16:(-1)> Connection closed: Error during SSL handshake: error:1408F10B:SSL routines:ssl3_get_record:wrong version number [13]

<W>2021-03-12 06:43:45.692 1 => <17:(-1)> New connection: 45.93.201.126:63726

<W>2021-03-12 06:43:45.708 1 => <17:(-1)> Connection closed: Error during SSL handshake: error:1408F10B:SSL routines:ssl3_get_record:wrong version number [13]

<W>2021-03-12 19:51:17.956 1 => <2:(-1)> New connection: 185.156.72.10:61866

<W>2021-03-12 19:51:17.972 1 => <2:(-1)> Connection closed: Error during SSL handshake: error:1408F10B:SSL routines:ssl3_get_record:wrong version number [13]

I tried to look into what these IP are but they’re surely spoofed in some way because a couple services I looked at pointed them to different sources.
Now coming to the big question: should I be worried? Should I get a new DNS name?

Surely there is a load of random servers scanning for easy targets. Were there and successful logins?

Was there any Sustained repeat attempts to enter, as if trying to brute force trying to access default stye credentials?

I would not be worried with 100 or so knocks on the door a day.

It’s the one that quietly gets in…

4 Likes

Nope, they’re impossible since the service is setup with a certificate to log in. It’s not possible to log in in any other way.

Yeah, that’s the worrying thing. So far there’s no trace of anyone getting in.

Its not uncommon for my services to see tens if not hundreds of thousands of failed login attempts every day, from services varying from SMTP to SSH to web applications.

Just block anyone who knocks more than a few hundred times and move on. I like Fail2Ban but whichever works for you.

2 Likes

So I should have a jail for every application in order to autoban IPs? I need to get on it since I’ve only used the pre-made jails and never wrote one myself. Thanks for the suggestion!

Specifically? Not likely.

Generally? Hell yes, with the Chinese right along side them.

2 Likes

And probably a bunch of Americans and europeans too.

5 Likes

I was having something screwy go on with PIA. my pia was supposedly connected to US East, and New york but my ip was determined to be from Ukraine it was similar to the ip you posted. What set me off to even look into it was that Youtube kept defaulting to Ukraine for me. Now it apparently is not doing that. But I dont know if my PIA install is malicious/fraudulent now. Or something else.

It’s usually best to assume that just about anything that’s public facing is going to get random pings from random places almost immediately. I’ve seen it happen with brand new VMs within a half hour of them being spun up.

1 Like

There is no way whatsoever for an individual determine the country of origin of the human responsible for launching or authorising a probe or attack over the Internet.

Tracerouting back to the visible IP address is something they do in movies, and does not work in the real world.

Any cracker with even a single functioning brain cell will use a botnet to remote launch probes and attacks. Heck, botnets are such a commodity item nowadays that even script-kiddies can make use of them. Thus the IP address you see is usually a compromised machine in a random, or deliberately selected, part of the world.

Since crackers always minimise legal risk as much as possible, the most common tactic is to use botnet devices in countries that do not have an extradition treaty with the country that is is being targeted by the attack.

To have any real chance of actually tracing an attack, a government or surpranational authority needs to have log-level access to ALL of the intervening routers involved in the connection. Since governments with no extradition treaties do not share logs that simply means crackers gain a tremendous amount of security merely by routing their attacks across a border into or through such countries.

Of course, once a cracker has access to a botnet, the botnet is then used to compromise even more machines, and once enough machines are compromised an attack can be relayed through an arbitrarily complex sequence of nodes so that — even if multi-governmental cooperation is somehow obtain and a trace is managed — the Internet cafe that over-writes their security camera footage on a weekly basis has long since lost the ability to put a face to a number.

Of course, anyone with security training or experience knows this, and has known this for at least the last quarter century. So when a talking head appears on TV as blames “hackers in another country” for some attack, you can be 100% sure they are talking shit. The only cracks that ever get properly traced are initiated from, routed entirely through, and targeted at, member states that all share extradition treaties — so are (usually) considered allies.

tl;dr: Please stop regurgitating and reinforcing the biases created by propaganda from your own government. The Russians aren’t responsible. If you believe traceroute then you are being successfully misdirected. It’s far more likely that you are being targeted by a citizen in a friendly nation. Regardless, unless the attacker is completely and utterly incompetent, there is no way to find out for sure.

PS: The last time we were able to definitively pin an attacker was back in ~1998. Our Australian server was being directly targeted by a 16-year-old script-kiddie during their lunch break in a Canadian high school. Those days are long gone. The trade has become much more sophisticated in the time since then.

2 Likes

Hey, guess what I’m not from the US. No propaganda whatsoever has ever been done in my country against Russia. I can say it’s almost quite the opposite. Why would you waste so much time teaching me moral stuff and technical stuff (which I was aware of) that nobody asked for?

I said “russians” but that’s just because what a reversed lookup gave me the first time. It’s just for the sake of a title, that’s it. Thanks for reminding me that we live in 2021.

I don’t care whoever tries to break into my shit, I’m just new to putting my own services online and I wanted to know what’s going on, why was I pinged so fast.

@redocbew @Zibob @Log Yeah, I got caught by surprise to be fair. I’m new to self hosting so I I wasn’t expecting all this traffic right away for something that isn’t even that special, like a Nextcloud istance for example. Thanks for reassuring me guys, y’all good eggs my dudes.

1 Like

I’ve heard it said that the non-human things on the Internet now outnumber the humans, so yeah it’s like the network equivalent of dogs butt-sniffing each other.

1 Like

I didn’t mention the US at all. I did give you a technical explanation because it directly answers the question in the title of your thread.

If you actually knew that there was no way to assert the country of origin, then you shouldn’t have speculated in the title. “Am I being specifically targeted?” would have been adequate. Why insinuate evil-doing by people of a specific country when you have no proof?

All the other guys already explained why it was unlikely you were being specifically targeted. There was no point me doing the same thing. What none of them addressed was the issue of the origin of the attack — as claimed/questioned in the title you wrote — so that’s what I did. You didn’t mention anything about speed in your OP.

Everyone here is trying to help you understand something you clearly don’t understand.

Maybe better to steer clear of “clickbait-y” titles in future, eh?

1 Like

You know, I just want to drop this conversation because we’re not communicating right now, we’re just “yelling” at each other online.

You’re offended by what I said and that’s not what I wanted. I was just concerned and I rushed when I wrote this post.

Next time I’ll be more cautious and you’ll be less touchy, okay?

1 Like

You’ll get bots, that just happens. When I was running the bbs I had ppl connect nad try

Usr
pswd

Admin
god

Root
Root

All the time. Wouldn’t do anything, thats not how you sign into a bbs, but they tried I guess.

1 Like

Are you 12? Go to the lounge and do this shit.

1 Like

@MetalizeYourBrain keep logging, not only passwords but successful connections too.
One day you can probably do some kind of statistical analysis for fun.
… Or, you may come up with a way to answer the question of whether they managed to bypass your client side cert somehow or not, based off of your logs.

1 Like

This is a really interesting idea. Maybe not risking my main istance of this application, but setting up one like this on the default port might make it worth of a long term experiment! I have a spare Pi to do this. Pipe that into a nice grafana dashboard and

To be fair just having the firewall drop connections from that range of IPs has stopped all the people knocking at my door so far.

1 Like