I spun up a fresh VPS yesterday. No domain pointing to it. No services advertised. Just a blank Ubuntu server with SSH open on the default port.
Within 10 minutes, the attacks started.
Not from one person - from automated botnets scanning the entire internet looking for easy targets. In under 24 hours, that single server logged 668 unauthorized access attempts from 13 different attackers.
Here's what I learned.
1. SSH Brute Force is Constant
This is the most common thing you'll see. Bots try thousands of username/password combos hoping you left defaults on.
Top usernames they tried on my server:
root- 86 attemptspostgres- 64 attemptsoracle- 64 attemptsadmin- 44 attemptsubuntu- 36 attempts
See the pattern? Default service accounts. If you installed PostgreSQL and never changed the password, you're probably already owned.
Fix: Disable password auth entirely. SSH keys only. Check with grep PasswordAuthentication /etc/ssh/sshd_config
2. Single IPs Will Hammer You
One attacker hit my server 274 times in a few hours. That's not a human - that's a bot running through a credential list.
The scary part? This happens to every public server. Most people just don't see it because they're not looking.
Fix: Use fail2ban or something that auto-blocks repeat offenders. We blocked 9 IPs that crossed our threshold.
3. They Rotate Through Service Accounts
They don't just try root. They go through everything:
- Database accounts - postgres, oracle, mysql
- App accounts - admin, ubuntu, centos
- Dev stuff - test, deploy, git, trading
If any of these exist on your box with weak passwords, you're a target.
Fix: Audit your users. Run cat /etc/passwd | grep -v nologin and remove what you don't need.
4. Attacks Come from Everywhere
My 13 attackers were spread across different countries and hosting providers. Some were compromised servers. Some were dedicated attack boxes.
It's not personal - it's automated. Your IP got scanned, SSH responded, now you're on a list somewhere.
Fix: Move SSH to a non-standard port. Yeah I know, security through obscurity, but it drops like 90% of the automated junk. Or put it behind a VPN.
5. It Happens Way Faster Than You'd Think
10 minutes. That's how long until the first attack after my server came online.
Small businesses always ask "who would target us?" Nobody specifically. But bots don't care who you are. They scan everything.
Fix: Assume you're already being probed. Set up monitoring. Know what's hitting your servers.
Bottom Line
This was one throwaway VPS for less than 24 hours:
668 attempts. 13 attackers. 9 blocked.
Now think about what's hitting your production servers right now. If you don't have visibility into this, you're flying blind.
That's literally why I built Prometheus - I wanted to see this stuff in real-time across all my infrastructure. If you want early access, sign up here.