DO Ideas 2

Watch outbound ssh traffic for criminals

A digital ocean hosted server just tried to crack my web server.

There is **NO**REASON**ANY** hosted server should be making outbound SSH connections more than once an hour or to more than 10 hosts an hour OR ever use different usernames to ssh!

Any digital ocean server that does this should be blocked immediately until the customer contacts you to justify this activity.

  • Duane Smeckert
  • Sep 11 2018
  • Attach files
  • Anonymous commented
    September 11, 2018 15:51

    I have blocked every network from linode at the firewall level. Same with Frantech, Vultr.
    I have not had attacks from E2C where the host is still up after 24 hours, so I imagine they ARE watching outbound traffic from hosted sites.

    fail2ban does not address the fundamental issue. ANY host on ANY network that makes outbound SSH connections promiscuously is either compromised or owned by criminals.

    If the hosting company does not take responsibility for their users committing crimes, then they are complicit.

    Currently there is no legal recourse, however I could see that changing.

  • Anonymous commented
    September 11, 2018 15:51

    Have you made this post on AWS Uservoice? How about EC2 or Vultr or Linode? How about OVH? Because none of them do what you're asking.

  • Anonymous commented
    September 11, 2018 15:51

    Install fail2ban like the rest of the internet.