Who/what is brute forcing OVH SSH logins?
I have 3 servers with OVH right now, two game server and one WireGuard server. My friend who also has some servers with OVH mentioned to me yesterday that he saw a lot of strange IP addresses mainly in East Asia attempting to SSH into his server when he looked at the file /var/log/auth.log . Out of curiosity I checked this file on my 3 servers and on all 3 servers the log was full of similar mysterious IP addresses from East Asia trying to login with invalid usernames. I was confused as to why seemingly every server on OVH's network receives so much traffic from these hosts. It got me curious, what are all these hosts and why are they attempting to gain access to OVH servers? I contacted OVH support and they said they were already aware that some other entity was attacking their servers like this. After seeing these strange connections I stopped listening for SSH on port 22 and changed it to a non standard port, and I have quite the long SSH password anyway so I'm not too worried about becoming a victim of one of these attacks, but it does make me wonder. Are they just trying to gain control of some poorly secured OVH server so that they can have control of a server for their nefarious purposes? Why are they specifically targeting servers on the OVH network as opposed to servers with other providers? How many machines are there, brute forcing OVH server SSH passwords 24/7? Who is the person/people behind this attack? What is the goal? Those of you who also use OVH and/or have experienced something similar or know more about the strange hosts in East Asia please do share your experience.
6 comments
[ 3.7 ms ] story [ 27.1 ms ] thread