A few days ago I deiced to open up my SSH to the internet. Possibly not the greatest idea, but I have a service set up to block brute force attempts and report unauthorized connections to AbuseIPDB. After a few days I started noticing some odd patterns.
Over the last few days, I have gotten a ton of break in attempts from "Fixed Line" ISPs (IPs being used by people's homes and possibly businesses). A good deal of these requests appear to be coming from smaller ISPs (to this date no requests have come from one of the biggest ISPs in the United States, Comcast), mostly from CenturyLink Communications LLC.
At first I thought that most of these attacks were from exploited hosts - IPs that have been hacked. A bot (possibly a person) brute forced a login page that was on the internet, and uploaded malware that lets the IP scan for more login pages, and the cycle continues creating a botnet. While some of the requests were likely just this, I noticed something odd. Most of the IPs had only 1 or 2 reports (one of them being mine). I was a bit confused at why I was one of the only reports, but then I came up with an interesting idea.
Likely the malware inserted on to these IPs wasn't scanning the entire internet, instead it was scanning only residential CIDR blocks. My server's IP, which is a Comcast IP likely fell under one of the CIDR blocks. Most people choose to use web hosts instead of self hosting which would explain the few reports.
If it doesn't need to be on the internet, don't put it on the internet. If you are unsure if you have any router logins online, please do an Nmap scan of your IP.
nmap -sS 0.0.0.0