Menu Close

Malicious connection at DigitalOcean Private Lan

Last month I make a droplet at Digital Ocean Singapore, configure it to be ready to run as a webserver and a proxy or vpn server for private use. After finishing te configuration, I shutdown it, and make a snapshot as my OS Template. And after that I just destroy it.
A few days ago, I start another droplet at Digital Ocean Singapore using the snapshot created back in February 2014, but because I’m so bussy, I forget that I had a running droplet there.
And today, when I saw the munin graph and the vnstat report, the doplet just wasted about 70GB data.
vnstat
I forgot to make the squid a private proxy by adding an authentication line, so my squid proxy were used by sooo many user using Chineese IP, some were using IP from Voxility.
So, today I stopped the squid, added the authentication line, but still having so many connection. And I just realized that I’m using a Private Lan, a feature from Digital Ocean, which is not “Private”.
The droplet not used for serving any website, and some service already stopped ( Nginx, MySQL, NodeJS, Supervisor, Squid, OpenVPN, MongoDB, PHP), but still having this many connections.
iftop
And after checking the denyhosts report for these few days, I saw many IP blacklisted because trying to bruteforce my droplet.
So, if you want to use a droplet from Digital Ocean, do not use the Private Lan. If you really want to use it, please place a very strict firewall/iptables rules on it.

Leave a Reply

Your email address will not be published. Required fields are marked *