Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
What you do with port scans
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

What you do with port scans

All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.

What's your take?

Comments

  • sometimes ... sometimes I scan their ports ...

    Portscanning intensifies ...

    the Amitz.party lives on!

  • @jbuggie said:
    I'm not sure if the time spent reporting them would do any good.
    What's your take?

    Thanked by 1cybertech

    #lexit | FatPal - Official LET payment gateway

  • Three Words ..... Yeti Hit Squad.

    Thanked by 1ITLabs

    Catch me over at Primary DNS. If you want to chat I am done with this cesspool.

  • jarjar Provider

    Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.

    Thanked by 3grep uptime jsg
  • Sometimes it just reminds me to do it myself, on my servers and see what's up :)

    Thanked by 2uptime ehab
  • jackbjackb Member, Provider
    edited October 2019

    @jar said:
    Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.

    That was a positive thing but most portscanning isn't.

    Usually it's trying to break into a system for malicious use. If properly secured it's no biggie but still something to be conscious of.

    E.g. I've been able to pre-empt various DDoS attack vectors over the years by occasionally checking out what's getting flagged in terms of abnormal traffic. Usually the reflection vectors will find out before most targets.

    Thanked by 1AlwaysSkint

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • Researching or not, I consider port scanning a form of aggression. It's relatively simple to drop all traffic from source of port scan upon detection so all it can see is a closed box. That's why I did not bother to report. However, most of these are malicious scans based on the services they try to find, mostly microsoft-related stuff. I suspect they are zoombies PCs or VPS boxes.

    Thanked by 2Janevski AlwaysSkint
  • Those who scans most needs to be added to permanent block list. That's what I do. Sometimes.

  • rcxbrcxb Member
    edited October 2019

    The really bad actors do distributed port scanning, so you're less likely to notice it, and there's no individual IP address to block. Those just nmap'ing your node are probably pretty innocent and just saying "Hello". Sure, criminals might knock on your door, but far more often it's just nosy neighbors...

  • jbuggie said: I consider port scanning a form of aggression.

    It's sexual harassment.

    You are dreaming. | And it's a nightmare. | THE SECRET THREAD | THE TRUTH | HAVES YOU SEEN THIS YURA?
    „Homo homini rattus.“ | It's not nightmare, it's reality, but it's still nightmare.

  • Researching or not, I consider port scanning a form of aggression.

    You should probably stop using the Internet

  • I would unplug Ethernet cable from vps.

    Excuse me while I locate the port.

    Thanked by 1uptime

    Remember the value of LET is purely based on its traffic.

  • AlwaysSkintAlwaysSkint Member
    edited October 2019

    iptables -I INPUT 1 -s 185.xxx.xxx.0/24 ! -d 185.xxx.xxx.my_ip -m comment --comment "Noisy neighbours" -j INVDROP
    iptables -I INPUT 1 -s 185.xxx.xxx.255 ! -s 185.xxx.xxx.gateway_ip -m comment --comment "Noisy neighbours" -j INVDROP

    Replace INVDROP with REJECT, to double the internal network crud, until the provider wakes up and bans the feckers.

    Thanked by 1reikuzan

    Long live LowEndInfo.com

  • JordJord Moderator, Provider

    When someone portscans me, I portscan them right back. They soon get fed up.

    Thanked by 1AlwaysSkint

    BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
    BaseServ Certified to ISO/IEC 27001:2013

  • @Jord said:
    When someone portscans me, I portscan them right back. They soon get fed up.

    As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead! :wink:

    Long live LowEndInfo.com

  • JordJord Moderator, Provider

    @AlwaysSkint said:

    @Jord said:
    When someone portscans me, I portscan them right back. They soon get fed up.

    As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead! :wink:

    That's what makes it fun sir, someone is getting BANGED BANNED :D

    BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
    BaseServ Certified to ISO/IEC 27001:2013

  • the Amitz.party lives on!

  • @jbuggie said:
    All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.

    What's your take?

    If you can be sure about the correctness of those source IPs (for example, through TCP's 3-way handshake), you can report them. They are likely to be compromised computers. Reporting them lets the owners have a chance to clean up their computers.
    Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions

    Thanked by 1AlwaysSkint

  • @chihcherng said:
    Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions

    Brilliant! I can add this to my AWS blocks. Made my weekend. :)

    Long live LowEndInfo.com

  • jsgjsg Member
    edited October 2019

    What @jar said plus sometimes people do portscans to check out something in the "white sense" (e.g. verify that some ports are or are not open, check ones provider for a decent config/network, etc.) but most port scans are highly likely from grey to black scripts or (rarely) people.

    But: all of that doesn't matter and is the wrong perspective. The correct perspective is to realize that port scans are not illegal (for good technical reasons) and that they are a reality anyway, even if they were illegal.

    TL;DR Don't care, just be sure your config is sane and your system is set up properly.

    Thanked by 3jar dahartigan ralph

    Thanks no.

Sign In or Register to comment.