I set up an instance 10 days ago with an installation of Centos to use as a backup system. I followed this tutorial:
https://medium.com/@biancalorenpadilla/sftp-google-cloud-storage-d559fd16e074
Looking at the billing I see this:
Compute Engine Network Internet Egress from Americas to China 79.08 Mebibyte
http and https are blocked. SSH random 12 character password. Nothing in the instances logs since the day I set it up.
Could that amount of data come from people probing the ports or has the server likely been breached?
Best Answer
There might be chances that you have been affected by a DDOS attack. And to mitigate this or avoid in future you should implement egress filtering [1].
Since egress traffic is within the customer's control as you are responsible for the configuration of your Virtual Machines and firewalls, consider securing your project using best practices [2] or such as creating an egress firewall rule to allow traffic only to intended IP addresses.
You can make use of VPC flow logs [3] that could help monitor the traffic (egress) coming from your instances and filter out any unintended IP address accessing the VM with use of egress firewall.
You need to put some authentication/authorization in front of the server to ensure that it tries to prevent potential attacks by some bots (which may scan all IPs and attempt to connect to every port). Kindly follow best practices at these links [4]
[1]https://www.sans.org/reading-room/whitepapers/firewalls/egress-filtering-faq-1059 [2] https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf
[3] https://cloud.google.com/vpc/docs/using-flow-logs [4] https://cloud.google.com/security