Yes, George, what is it?
I want to run a Minecraft server on my PC for my friends to log on and play Minecraft with me.
George, do you understand that doing that would require opening up access to your computer from the outside world?
Nobody’s going to notice our system unless we tell them.
Do you really think so? How long do you think it will take before someone other than your friends notice the computer is available from the outside and start trying to break in to your PC server?
DAAAAAD! Nobody is ever going to notice!
Mar 29 00:08:59 UnixBSD sshd: input_userauth_request: invalid user shoutcast
Mar 29 00:09:00 UnixBSD sshd: input_userauth_request: invalid user svn
Mar 29 00:09:02 UnixBSD sshd: input_userauth_request: invalid user zabbix
Mar 29 00:09:03 UnixBSD sshd: input_userauth_request: invalid user oracle
Mar 29 00:09:04 UnixBSD sshd: input_userauth_request: invalid user nagios
Actually, it took about 15 minutes. Since opening up the login port to the outside world on the FreeBSD box at the end of March, we have recorded 76,168 separate (failed) login attempts onto our server. This does not include the nearly 40,000 separate (failed) login attempts onto the WordPress platform also running on this platform.
So who’s so interested in getting onto our system? Although they don’t use their real name, here are the most popular names, in order of #2 through #24:
And what is the most popular name to try to log in as? The big winner is “root”, with 44,428 attempts between March 29th and November 20th.
Since opening up this box to the outside world, I’ve been quite happy with the security it has shown, given a ‘little’ care in setting everything up. I actually look forward to seeing what entertaining names people try to use in logging in. I’ve also learned that if you’re going to allow access from the outside world, there are certain names which you should not use, such as ‘root’ for your system administrator or ‘superuser’ account. So far, I’ve gathered 6,758 different names people (or more likely, automated programs) have used to try to gain access to our system.
And, yes, George did get his Minecraft server installed and made available to his friends, even though the name ‘minecraft’ was tried as a login name 62 times since last spring.