Is it normal to see my sites being probed or hacked 24×7?

This is a copy of a post I posted somewhere on the internet as an answer to the above question.


Yes, this is normal. I have some users and clients that have ‘bastion’ hosts on the internet. The primary reason for this is they have the one VPS or VM, and need to run their required services on that one server. Example: It’s common to have WordPress installations on these VM’s so users need port 22 for ssh, port 80 for their web, port 443 for secure web, and mail ports 25 and 587 (I’m nice, I don’t restrict their ability to administrate but I DO butt in and ‘manage’ their mail subsystem if it becomes a problem). I even have some users that expose MySQL port 3306; I’m told it’s necessary to have for replication and backups, but luckily this is rarer.

Point being related to OP (note: Original Poster) in this manner. Yes, if you have an exposed service on the internet it’s going to be attacked incessantly not only by the script kiddies, but there are even some commercial agencies that do this claiming it’s ‘essential’ to log ports for internet wide security, which is dubious at best.

Best solution, imo, is private non-routable network addresses and VPN’s for administration, and poke holes in the firewall for two ports, 80 and 443, and forward the connections to the firewall exposing only those ports on the public address. But I can’t make my users or clients do this.

The biggest culprits out there, in my experience, come from China and Pakistan (not meant as denigration as I have friends who are Chinese and Pakistani; it’s just a lot of attacks come from those countries). Certain portions of netblock 221.x.x.x and 222.x.x.x with /13 or /14 subnet are the biggest offenders. Those run 24x7x365xEvery_Single_Second. I have those subnets permanently firewalled and those alone knock out 20% of the ‘bad’ traffic. You unfortunately can’t block every single ‘bad’ connection that hits your firewall because eventually you’ll have the whole internet blocked.

The firewall takes care of most known or algorithmic attacks, and diligent administration keeps the sites safe. I’ve been administrating internet facing hosts for some time and only once have I had a server compromised, and that oddly enough was a Sun Microsystems Solaris box, which had an unpatched RPC/X Windows based exploit, but that was over 20 years ago.

Would you like to know more? 😉 Leave a comment

Please visit my Patreon page if you’re so inclined or make a donation. Or you can click the coffee cup in the bottom right corner of the screen and Buy Me A Coffee. Thank you!


Leave a Reply

Your email address will not be published. Required fields are marked *