There was a poll on twitter recently asking about making a new blog. My suggestion was to self-host WordPress on a VPS, and then use the attacks against both as case studies for the blog itself.
The real question comes down to, “what is your goal?”
When I started this site (spun up the VPS) it wasn’t to blog. I knew I’d put a blog here eventually. But my goal was to have Linux Server to maintain admin skills and collect attack types against a publicly accessible server.
I used to track failed ssh attempts to the server, I even had a poorly written shell script (converted one-liner), that collected the attempts from the logs. It didn’t provide me the passwords but it gave me the IP addresses and user names. The main thing I saw from the data was that it was scripted attempts. Since then I have blocked SSH in IP tables to only a few “trusted” address ranges. They’re only trusted because they are addressed ranges I’d come from. I rarely see any attempts that are not me, and couldn’t tell you the last time Fail2Ban triggered on an ssh attempt.
And as you can see above, the goals can change as time goes by. The use of the server has changed over the years. I don’t watch the logs as much any more. I do review the logcheck emails on a regular basis, but that isn’t as in depth as what I used to do.
After I finish school, maybe things will change again. Maybe I’ll blog more about what I find in the logs. Like the differences I see in apache2/(access|error)[.]logs and apache2/rattis/(access|error)[.]logs. Maybe I’ll set up Security Onion and have all the logs forwarded to it to monitor there.
But right now my goal for this site is to just be a place to blog about some of the stuff I’m working on / learning. The things outside of my third Master’s program. And yeah, I’ve blogged more lately, but that’s because I’m between classes and have some free time.