Why Your Server Is Under Attack Right Now (And You Might Not Know It)

If you run a server connected to the internet, you're being attacked right now. Not tomorrow. Not maybe. Right now.

This isn't fear-mongering. It's just how the internet works. Automated bots scan the entire IPv4 address space continuously, probing every IP for weaknesses. The moment your server comes online, it gets found.

We see this constantly in our threat intelligence data. A fresh server with a public IP will receive its first malicious connection attempt within minutes of going live.

The Reconnaissance Phase: Port Scanning

Before an attacker can break in, they need to know what's running. That's where port scanning comes in.

A port scan sends connection requests to a range of ports on your server to see which ones respond. Think of it like a burglar walking down a street, checking every door handle to see which ones are unlocked.

Common scan types include TCP SYN scans (half-open connections that are harder to log), full TCP connect scans, and UDP scans for services like DNS and SNMP.

What are they looking for? Open SSH on port 22. Databases on 3306, 5432, or 27017. Web servers on 80 and 443. RDP on 3389. Any service that might be misconfigured or running default credentials.

A single attacker can scan thousands of IPs per second. Botnets can cover the entire internet in hours.

The Break-In Attempt: SSH Brute Force

Once an attacker finds an open SSH port, the brute force begins.

SSH brute force is simple: try username and password combinations until one works. Attackers use massive wordlists of common credentials, leaked password databases, and predictable patterns.

The most targeted usernames we see are root, admin, ubuntu, postgres, oracle, test, guest, and user. For passwords, attackers try 123456, password, admin, root, and variations of the username itself.

A single bot might try five to ten combinations per second. Distributed botnets can attempt thousands per minute from hundreds of different IPs, making simple rate limiting ineffective.

Most servers block an IP after a few failed attempts. Attackers adapted. Modern botnets rotate through thousands of IPs, trying just two or three passwords from each before moving on. By the time one IP gets blocked, another takes over.

Why Small Businesses Are Prime Targets

There's a dangerous myth that attackers only go after big companies. The reality is the opposite.

Large enterprises have security teams, intrusion detection systems, and hardened configurations. Attacking them takes effort and risk.

Small businesses often run default configurations, use weak or reused passwords, have no monitoring in place, and assume they're too small to matter.

Attackers aren't manually selecting targets. Bots scan everything automatically. When they find an easy target, they exploit it regardless of company size. A compromised small business server is valuable for launching further attacks, hosting malware, mining cryptocurrency, or joining a botnet.

According to industry data, over 40% of cyberattacks target small businesses. Most don't have the resources to recover.

What Actually Helps

Awareness is the first step. Here's what makes a real difference:

Disable password authentication for SSH entirely. Use key-based authentication only. This eliminates brute force as a viable attack vector.

Change default ports. Moving SSH from 22 to a non-standard port won't stop determined attackers, but it cuts automated scanning by over 90%.

Implement fail2ban or a dedicated threat detection agent like Prometheus AI. Automatically blocking IPs after failed attempts adds friction, but reactive blocking means attackers already got their first attempts in. Prometheus takes it further — using real-time threat intelligence from a global honeypot network to block known malicious IPs before they even attempt a connection. You stop the attack before it starts.

Monitor your logs. Most compromises go undetected for weeks or months because nobody's watching. Even basic log review catches obvious attack patterns.

Use threat intelligence. Knowing which IPs are actively attacking other servers lets you block them before they reach yours.

The Bottom Line

The internet is hostile by default. Every server is constantly probed, scanned, and tested. The question isn't whether you'll be targeted, but whether you'll notice and whether your defenses hold.

Small businesses aren't invisible. They're often the easiest prey.

The good news is that basic security hygiene stops the vast majority of automated attacks. The bad news is that most people don't implement even the basics until after they've been compromised.

Don't wait for that lesson.