By sauufimotion
We receive an email with a notice, that our ip has participated in brute-force activity, We are ssh tunneling service providers, and like someone has used our service to do brute-force activity. What we have to do.
this email from DigitalOcean
Hi there,
We’ve received a notification that one or more of your Droplets at 128.199.194.42 is participating in Brute-force activities. Please note that we may be required to take further action to prevent additional attacks, up to and including suspension of your Droplet. Should we take this step, we'll send an additional email notifying you that we have done this.
You can review the most recent report(s) we received at https://digitalocean.abusehq.net/share/EsFsAYXaHHit-BM2C2aozLPJJYPimxcxk1nednrN82I .
Additionally, you can review the abuse history of this incident at https://digitalocean.abusehq.net/share/RTiVbusRB3SP4GEi-Uj_AQ .
To resolve this matter, you’ll need to review the Droplet to determine the cause of the traffic. The system and application error and access logs may include additional details that could provide more insight on this. Additionally, reviewing your active processes could point to the responsible PID.
Once you’ve discovered the cause, please update this ticket letting us know what you determined to be the cause of the issue, how you resolved it, and what steps you took to prevent further events of a similar nature.
If you have any questions regarding this matter, please let us know.
Regards,
Trust & Safety,
Digital Ocean Support
ref:_00Do0IjOV._5001NRkqa6:ref
thank you Sauufi team. Inc
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Log users actions and then act upon blacklisting the user from your services. If you’re running a service that allows others access to your servers then this is something you’ll have to deal with on a daily basis (depending on its popularity). You could probably automate a script to ban a user if they show any signs of bruteforcing.
We do not know how to lock users, our ssh service can be used by everyone, so it’s unlikely to find users who do that
You can help how to block this ip He uses our squid proxy to connect 168.95.6.55:25
1502823946.434 60622 220.129.157.109 TCP_MISS/503 0 CONNECT 168.95.6.55:25 - DIRECT/168.95.6.55 -
1502823946.434 60622 220.129.157.109 TCP_MISS/503 0 CONNECT 168.95.6.52:25 - DIRECT/168.95.6.52 -
1502823946.434 60622 220.129.157.109 TCP_MISS/503 0 CONNECT 168.95.5.17:25 - DIRECT/168.95.5.17 -
1502823946.434 60622 1.162.224.164 TCP_MISS/503 0 CONNECT 168.95.6.64:25 - DIRECT/168.95.6.64 -
1502823946.434 60622 1.162.224.164 TCP_MISS/503 0 CONNECT 203.69.82.35:25 - DIRECT/203.69.82.35 -
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.