I see you knocking but don't want you in

A few days back, I set up a "droplet" at DigitalOcean to host a Django application that I'd been building, and so I now have a small net-facing Ubuntu VM there. As a security person, I've been, er, interested to see just how interesting my site has quickly become to, er, unexpected visitors. Looking at its first-ever auth.log, it went active at:

Apr 16 15:33:23  systemd-logind[1385]: 
Watching system buttons on /dev/input/event0 (Power Button)

The sshd logged its first preauth disconnect at 15:38:27 (just over 5 minutes later), from an IP address that whois resolved to country code IR. Since I didn't have an associated domain registered at this time, I assume that this was a random address scan.

I started an Apache server about an hour later, at 16:47. Following some of my own testing (and a domain name registration), its first unexpected visit came at 17:40 in the form of a POST from an IP address in St. Petersburg, RU.

I can see that my droplet's sshd and apache have been busy rejecting varied streams of "knocks" since, and am applying best practices of firewalling unneeded ports and disabling passworded access to ssh. Still, I've been surprised at just how quickly and broadly my site was discovered. If more of my prior experience had fallen on the operational response vs. architectural development side of security, maybe I'd be less surprised. Anyway, a valuable learning experience and reminder. Stay safe!