I've been monitoring my servers for about nine days now, covering five different servers located across Europe, Asia, and the US. During this time, I've recorded approximately 18,000 attacks from around 8,000 unique IP addresses.
SSH receives the most attacks, with fail2ban helping to mitigate the chaos. Surprisingly, I'm also seeing hits on Telnet, which seems bizarre in 2026. The top source countries for these attacks include Russia, the US, China, the Netherlands, and the UK.
Interestingly, my Asian VM is the most targeted with 11,000 attempts, followed by the US with 10,000 and only about 600 on my European VMs. The most commonly attempted passwords are laughably predictable—123456, admin, and even the default Redis password 'foobared'! I noticed the first attack occurred just 90 seconds after booting my VM.
I'm curious if anyone else is tracking similar data and how your numbers compare to mine!
5 Answers
I don’t understand why your SSH even receives traffic. I have mine firewalled at the network level to prevent that. My VMs don’t process any of it at all!
I've learned that if you position a honeypot on SSH that's easily recognizable, attackers will just use basic password lists. Make your honeypot more unique, and you’ll see attackers shift tactics.
Good point! My honeypot's banners seem realistic but low-interaction. Right now, my goal is just to block them before they find the real services.
Honestly, even a basic setup with a firewall and fail2ban can handle this noise. I just monitor the occasional IP bans as a source of entertainment and focus on the real threats.
That’s true! But keeping a honeypot can help catch attackers before they reach your actual services. It seems like an effective strategy.
It sounds like typical background noise on the internet. It's pretty standard for scans to start almost immediately after launching a VM. You'd be surprised by how many people get a kick out of these early hits!
I totally get it! I was shocked by the volume, too. It's wild how quickly they come for you.
I don’t bother tracking basic scans either. For me, they’re just background noise, but my honeypot's automatic bans help filter out the bad guys before they reach anything important.
That’s a solid approach! The main benefit is getting rid of the noise around your real services without too much hassle.
Not everyone has that luxury. Some are running cheaper VPSs or home setups where network-level restrictions aren't feasible. It’s a gold standard to aim for, but not always possible.