Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    What you do with port scans
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    What you do with port scans

    All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.

    What's your take?

    Comments

    • uptimeuptime Member

      sometimes ... sometimes I scan their ports ...

      Portscanning intensifies ...

      Leave a Comment

      You can use Markdown in your post.

    • ITLabsITLabs Member

      @jbuggie said:
      I'm not sure if the time spent reporting them would do any good.
      What's your take?

      Thanked by 1cybertech
    • Three Words ..... Yeti Hit Squad.

      Thanked by 1ITLabs

      The Bun | Primary DNS | Small Web <--- Do not ask questions, just go for it.

    • jarjar Provider

      Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.

      Thanked by 3grep uptime jsg
    • thedpthedp Member

      Sometimes it just reminds me to do it myself, on my servers and see what's up :)

      Thanked by 2uptime ehab

      DomainPeon -- Somewhat decent domain names at affordable prices.

    • jackbjackb Member, Provider
      edited October 4

      @jar said:
      Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.

      That was a positive thing but most portscanning isn't.

      Usually it's trying to break into a system for malicious use. If properly secured it's no biggie but still something to be conscious of.

      E.g. I've been able to pre-empt various DDoS attack vectors over the years by occasionally checking out what's getting flagged in terms of abnormal traffic. Usually the reflection vectors will find out before most targets.

      Thanked by 1AlwaysSkint

      Afterburst - Awesome OpenVZ&KVM VPS in US+EU

    • Researching or not, I consider port scanning a form of aggression. It's relatively simple to drop all traffic from source of port scan upon detection so all it can see is a closed box. That's why I did not bother to report. However, most of these are malicious scans based on the services they try to find, mostly microsoft-related stuff. I suspect they are zoombies PCs or VPS boxes.

      Thanked by 2Janevski AlwaysSkint
    • Those who scans most needs to be added to permanent block list. That's what I do. Sometimes.

    • rcxbrcxb Member
      edited October 5

      The really bad actors do distributed port scanning, so you're less likely to notice it, and there's no individual IP address to block. Those just nmap'ing your node are probably pretty innocent and just saying "Hello". Sure, criminals might knock on your door, but far more often it's just nosy neighbors...

    • jbuggie said: I consider port scanning a form of aggression.

      It's sexual harassment.

      You are dreaming. | And it's a nightmare. | THE SECRET THREAD | THE TRUTH | HAVES YOU SEEN THIS YURA?

    • Researching or not, I consider port scanning a form of aggression.

      You should probably stop using the Internet

    • I would unplug Ethernet cable from vps.

      Excuse me while I locate the port.

      Thanked by 1uptime

      relentless collector of highest clocked, highest performing KVM/NVMe/Gbit VPSes at the most competitive rates. just to hard idle them. zero knowledge on coding/programming; a mere hobbyist.

    • AlwaysSkintAlwaysSkint Member
      edited October 5

      iptables -I INPUT 1 -s 185.xxx.xxx.0/24 ! -d 185.xxx.xxx.my_ip -m comment --comment "Noisy neighbours" -j INVDROP
      iptables -I INPUT 1 -s 185.xxx.xxx.255 ! -s 185.xxx.xxx.gateway_ip -m comment --comment "Noisy neighbours" -j INVDROP

      Replace INVDROP with REJECT, to double the internal network crud, until the provider wakes up and bans the feckers.

      Thanked by 1reikuzan

      redacted

    • JordJord Moderator

      When someone portscans me, I portscan them right back. They soon get fed up.

      Thanked by 1AlwaysSkint
    • @Jord said:
      When someone portscans me, I portscan them right back. They soon get fed up.

      As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead! :wink:

      redacted

    • JordJord Moderator

      @AlwaysSkint said:

      @Jord said:
      When someone portscans me, I portscan them right back. They soon get fed up.

      As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead! :wink:

      That's what makes it fun sir, someone is getting BANGED BANNED :D

    • uptimeuptime Member

      Leave a Comment

      You can use Markdown in your post.

    • @jbuggie said:
      All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.

      What's your take?

      If you can be sure about the correctness of those source IPs (for example, through TCP's 3-way handshake), you can report them. They are likely to be compromised computers. Reporting them lets the owners have a chance to clean up their computers.
      Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions

      Thanked by 1AlwaysSkint
      Don't let questionable websites get hold of your email addresses. Give them Crazi4U - Your one hour inbox instead.
    • @chihcherng said:
      Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions

      Brilliant! I can add this to my AWS blocks. Made my weekend. :)

      redacted

    • jsgjsg Member
      edited October 5

      What @jar said plus sometimes people do portscans to check out something in the "white sense" (e.g. verify that some ports are or are not open, check ones provider for a decent config/network, etc.) but most port scans are highly likely from grey to black scripts or (rarely) people.

      But: all of that doesn't matter and is the wrong perspective. The correct perspective is to realize that port scans are not illegal (for good technical reasons) and that they are a reality anyway, even if they were illegal.

      TL;DR Don't care, just be sure your config is sane and your system is set up properly.

      Thanked by 3jar dahartigan ralph
    Sign In or Register to comment.