My Server Was Attacked 5,866 Times in Just a Few Days

19th December 2025

 

 

As a blockchain developer, I've always known security matters. But I wanted to see what my servers actually face day-to-day.

So I wrote a simple script to send Telegram alerts for every login attempt—successful or failed—on one of my public servers.

I expected maybe 400-500 bot hits. I was way off.

 

 

The Numbers

 

  • 5,866 failed login attempts
  • From 99 countries
  • 620 different cities
  • Time period: 9th November 2025 to 19th December 2025 (40 days)

 

This is what security researchers call "internet background noise"—automated scanners and bots constantly probing every public IP for weak passwords. They're hunting for anything they can break into: servers, CCTV cameras, baby monitors, IoT devices.

 

 

Where the Attacks Came From

 

Top 5 countries accounted for over 52% of all attempts:

 

  • 🇨🇳 China: 963 attacks (16.4%)
  • 🇺🇸 United States: 832 attacks (14.2%)
  • 🇮🇳 India: 478 attacks (8.2%)
  • 🇷🇺 Russia: 467 attacks (8.0%)
  • 🇰🇷 South Korea: 332 attacks (5.7%)

 

 

Geographic Distribution of Attacks

 

 

Why Blockchain Projects Are Especially at Risk

 

A hacked server isn't just about stolen data. For blockchain applications, it can mean:

 

  • Drained wallets
  • Leaked private keys
  • Validator nodes going offline

 

When you're handling digital assets, one breach can cost millions. There's no "reset password" button for a compromised private key.

 

 

Attack Patterns Over Time

 

The attacks weren't random. They came in waves—certain hours and days saw massive spikes. Here's the weekly breakdown:

 

Weekly Attack Trends

 

 

How I Set This Up

 

The monitoring setup was surprisingly simple:

 

  1. Configured my server to log all SSH attempts
  2. Wrote a Node.js script to parse auth logs
  3. Sent Telegram alerts for each attempt
  4. Exported the Telegram chat as HTML
  5. Parsed the data and enriched it with geolocation
  6. Generated interactive charts with Chart.js

 

The whole thing took maybe 2-3 hours to set up. Worth it to see what's actually happening.

 

 

What You Should Do Right Now

 

Your server is being scanned right now. Here's what actually matters:

 

 

1. Disable Password Login

Edit your SSH config:

# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

 

 

2. Use SSH Keys Only

Generate a key pair if you haven't already:

ssh-keygen -t ed25519 -C "your_email@example.com"

 

 

3. Change the Default SSH Port

Most bots scan port 22. Moving to a different port cuts noise significantly:

# /etc/ssh/sshd_config
Port 2222  # or any port you prefer

 

 

4. Set Up Fail2Ban

Automatically ban IPs after failed attempts:

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

 

 

5. Monitor Your Logs

You don't need a fancy setup. Even a simple script checking logs daily helps:

# Check recent failed login attempts
grep "Failed password" /var/log/auth.log | tail -20

 

 

The Lesson

 

Whether you're in Web2 or Web3, basic security isn't optional. Your server is a target the moment it goes online.

Assume you're being attacked—because you already are.

For blockchain developers specifically: if you're running validators, RPC nodes, or anything that touches private keys, this isn't paranoia. It's reality.

 

 

 

That's all for now. Stay secure out there. 🔐