Mark Sapiro writes:
On 1/22/21 4:11 PM, Tom @ Gather wrote:
My mail server is on Digital Ocean if that makes any difference.
It may. All of my recent blocks have been DigitalOcean servers including mail.python.org, but I think I've had this in the past from non- DigitalOcean servers.
My (very limited) experience with DigitalOcean is that they harbor bad actors. That's probably only because they're a very large provider, but YMMV (more important, Microsoft's mileage apparently does). Details follow for the curious.
I need to find out who was knocking over my webserver every so often, so I did some cave-diving in the logs. In the process, I discovered that about 95% of vulnerability probes (attempts access to scripts not installed on my server averaging 5X/day) were coming from DigitalOcean netblocks, almost all of those from something called stretchoid.com. I've blocked the whole /18 where stretchoid lives:
DROP tcp -- 192.241.192.0/18 0.0.0.0/0
Security analysts on the web have different opinions of stretchoid; some classify them as "malicious activity", others seem to think they're some sort of researcher. I think they're a PITA, and there are zero legit connections from that netblock in my logs, so "bye-bye". Now I see unexpected access attempts about 1/5 days. :-)
Oh, and who *was* knocking over my server? It turned out that once a month my employer tried about 9000 different hacks in rapid sequence and it took a couple hours for the backlog to clear, so my students couldn't access their wiki accounts or my schedule page during that period. Blocked connections from the vulnerability probing host, and there have been no black helicopters over my office, so I guess that's that. :-)
Steve