On one test site I do run Cowrie (a honeypot server). There its easy to see that all that hits SSH and Telnet port are not humans, but scripts that do the same all over.
- Search for open ports
- Find a suitable open server with weak password.
- Download a script/bin file that work for the current os (x86/arm/arc/mips etc)
- Try to run the script and install a botnet on your host
This happens 200+ times a day.
So if you have an open port 443/22/21, you need to protect your self. If not some one will enter and abuse your system in one way or another.
God password, patching/update your server, limit who can access (if that is possible), and port blocking.
By logging all that one IP tries, you can see that portscan of some or in worst case all port are part of the attack.
I also do see that many blocks IP form Russia and China, but the are small in number compare to US.
Percent country IP blocked last 7 days.
- 10.3% Philippines
- 9.8 % South Africa
- 8.2% USA
- 6.9% India
.
.
x. 2.0% China
.
.
Here are just the latest SSH/Telnet attack.
.
Use Splunk> to log/monitor your MikroTik Router(s). See link below. 