static IP 184.108.40.206(google cloud Indonesia)，I discovered there is a traffic spike at about 13:00 Hong Kong time, which is probably a ddos. I cannot figure out why my server get this kind of attack since my IP is not exposed to anywhere other that ntp pool and it has only operated for one day. Why hackers discovered my ip so quickly? And how to prevent this in the future. Thanks
If it happens everyday at the same time, it’s likely that this is a result of many clients requesting the time at exactly the same time. In this case it’s not hackers, but just many “non-ideal” configured clients who have found you.
Since this is the first time I rent cloud servers which run 24x7, I am concerned with the security issue. I would like to ask another question, will cloud server be infected by ransomware(my personal laptop is infected with ransomware few months ago).
This depends on your security measures.
- enable and use a firewall - only open the required ports
- restrict root ssh access
- use ssh key authentication
- (if using RHEL/CentOS/Fedora) enable SELinux
- apply software updates in a timely manner
- disable and uninstall unnecessary services
- create separate users for people and services
- use process isolation
- monitor server logs
- don’t use the default settings for services, always have a look and ensure the settings follow the commonly known security best practise for that service
- don’t use default passwords
- apply crypto hardening for encrypted communication channels - turn of old cyphers and check your crypto settings
It still can happen, but it’s more unlikely. And there is no such thing as “100% safe”.
Collect some packet captures if feasible. This would show the IP source addresses, though these may be spoofed.