Digital Ocean, can you stop Brute Force our IPs?

March 3, 2018 1.4k views
Security CentOS

Our whole /19 IPs are getting brute force attack from Digital Ocean IPs every single day. the worst thing is that those kids know you guys don't care much.

What a good deal? you get US IP that is hackable anywhere in the USA.

Abuse reporting does not help.

Are you guys brainless to let those happen in the USA? Seriously I don't know if you guys are full of UK in NY office so don't bother to break the environment of other nation.

You guys are the most prominent backdoor in the state.

3 Answers

What is your question for the DigitalOcean community?

  • how to mangle output route to stop brute force so digital ocean staff applies to their droplet made for kids?

I have been having these attacks for weeks as shown for the last two days, below. Abuse@digitalocean.com is either overwhelmed or under staffed or both. My solution as of today is to block their entire domain 107/170.0.0/16, since they have no valid reason to be accessing my servers.

["May 5 14:56:15 wbofw sshd[22084]: Connection from 107.170.231.42 port 58873 on 96.10.34.34 port 22",
"May 5 14:56:19 wbofw sshd[22084]: User root from 107.170.231.42 not allowed because not listed in AllowUsers",
"May 5 14:56:19 wbofw sshd[22084]: inputuserauthrequest: invalid user root [preauth]",
"May 5 14:56:19 wbofw sshd[22084]: Received disconnect from 107.170.231.42 port 58873:11: Normal Shutdown, Thank you for playing [preauth]",
"May 5 14:56:19 wbofw sshd[22084]: Disconnected from 107.170.231.42 port 58873 [preauth]"]
["May 5 16:03:24 wbofw sshd[27194]: Connection from 107.170.249.235 port 56651 on 96.10.34.40 port 22",
"May 5 16:03:24 wbofw sshd[27194]: Invalid user ubuntu from 107.170.249.235 port 56651",
"May 5 16:03:24 wbofw sshd[27194]: inputuserauthrequest: invalid user ubuntu [preauth]",
"May 5 16:03:25 wbofw sshd[27194]: Received disconnect from 107.170.249.235 port 56651:11: Normal Shutdown, Thank you for playing [preauth]",
"May 5 16:03:25 wbofw sshd[27194]: Disconnected from 107.170.249.235 port 56651 [preauth]"]
["May 5 16:22:56 wbofw sshd[28535]: Connection from 107.170.249.235 port 42680 on 96.10.34.34 port 22",
"May 5 16:22:57 wbofw sshd[28535]: Invalid user mysql from 107.170.249.235 port 42680",
"May 5 16:22:57 wbofw sshd[28535]: inputuserauthrequest: invalid user mysql [preauth]",
"May 5 16:22:57 wbofw sshd[28535]: Received disconnect from 107.170.249.235 port 42680:11: Normal Shutdown, Thank you for playing [preauth]",
"May 5 16:22:57 wbofw sshd[28535]: Disconnected from 107.170.249.235 port 42680 [preauth]"]
["May 6 04:22:29 wbofw sshd[13883]: Connection from 107.170.105.164 port 54472 on 96.10.34.40 port 22",
"May 6 04:22:56 wbofw sshd[13883]: Invalid user lian from 107.170.105.164 port 54472",
"May 6 04:22:56 wbofw sshd[13883]: inputuserauthrequest: invalid user lian [preauth]",
"May 6 04:22:56 wbofw sshd[13883]: Received disconnect from 107.170.105.164 port 54472:11: Bye Bye [preauth]",
"May 6 04:22:56 wbofw sshd[13883]: Disconnected from 107.170.105.164 port 54472 [preauth]"]
["May 6 10:06:30 wbofw sshd[8221]: Connection from 107.170.172.23 port 53235 on 96.10.34.40 port 22",
"May 6 10:06:35 wbofw sshd[8221]: Address 107.170.172.23 maps to www.thethinktankers.in, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
"May 6 10:06:35 wbofw sshd[8221]: User ftp from 107.170.172.23 not allowed because not listed in AllowUsers",
"May 6 10:06:35 wbofw sshd[8221]: inputuserauthrequest: invalid user ftp [preauth]",
"May 6 10:06:35 wbofw sshd[8221]: Received disconnect from 107.170.172.23 port 53235:11: Normal Shutdown, Thank you for playing [preauth]",
"May 6 10:06:35 wbofw sshd[8221]: Disconnected from 107.170.172.23 port 53235 [preauth]"]

Have another answer? Share your knowledge.