Question
How to tell if an IP is a hacker or one of Digital Ocean's?
- Posted on July 10, 2023
- LoggingSecurityUbuntu 22.04
Asked by spendlove
I was looking at the auth.log and noticed a login using my alex account but with an IP address that is not mine. I contacted DO about this and got this response:
“I wanted to assure you that while the IP address does belong to DigitalOcean, it is not in use by any users, so this is not a hacking attempt, but general internal use. In other words, this is not evidence that your new Droplet has been hacked. I hope this reassures you.”
How can it be that DO uses some “internal use” IP address to login with my personal user account? Wouldn’t they have their own user account if they needed to login to my droplet to be able to create the realtime usage graphs in the control panel?
This is confusing and a bit worrisome. Besides, how am I ever supposed to know if a real hacker is logging in, or if it’s just DO?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Heya,
When DigitalOcean collects metrics for your droplet, the process may appear as a login attempt in the logs. This is because DigitalOcean collects these metrics by performing a ‘read-only’ access to your droplet. This is done strictly for maintaining the functionality of your droplet and providing you with accurate usage graphs.
Please note, though it may appear as a login attempt under your username in auth.log, no actual login under your username was made.
Have in mind that you can always reach out to our support team in case you have any security concerns about your account or droplet.
As for your concern about differentiating between a real hacking attempt and these internal processes, you’ll want to pay attention to other warning signs. These can include unknown users, changes in file permissions, unauthorised software changes, etc.
If you find these signs, it might be evidence of an intrusion. In such cases, I would recommend to change your passwords immediately, review any new accounts that have been created, check installed programs, and restore from a clean backup
Hope that this helps!
Hey @spendlove,
It’s important to remember that DigitalOcean, like other cloud service providers, has automated systems that interact with your droplet for management purposes. These systems might use IP addresses belonging to DigitalOcean, which could explain the log entries you’re seeing.
However, these internal systems would typically not be using your user account to log in. Instead, they would use their own system-level accounts that are separate from any user accounts you’ve created on your droplet.
If you see entries in your logs that suggest your user account is being used to log in from a DigitalOcean IP address, that might indicate that something unusual is happening. However, it might not necessarily be malicious — it could be due to some sort of system-level operation that you’re not aware of, or even a bug in DigitalOcean’s software.
If you’re concerned about this, here are a few steps you can take to improve the security of your droplet:
Use SSH Keys: If you’re not already using them, SSH keys are a more secure alternative to password-based logins.
Enable Two-Factor Authentication (2FA): This adds an extra layer of security by requiring a second form of verification in addition to your password.
Monitor Your Logs: Keep an eye on your logs for any suspicious activity. If you see repeated login attempts from an unfamiliar IP address, that could be a sign of a brute-force attack.
Firewall and Security Groups: Make sure you’ve properly configured your firewall and security groups to only allow traffic from trusted sources.
Regular Updates: Regularly update your system and installed software to the latest versions to patch any known security vulnerabilities.
Lastly, you should reach out to DigitalOcean support again for clarification if you’re still concerned about this. They might be able to provide more specific information about what might have caused the log entries you’re seeing.