Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What you do with port scans
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What you do with port scans

All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.

What's your take?

Comments

  • sometimes ... sometimes I scan their ports ...

    Portscanning intensifies ...

  • @jbuggie said:
    I'm not sure if the time spent reporting them would do any good.
    What's your take?

    Thanked by 1cybertech
  • Three Words ..... Yeti Hit Squad.

    Thanked by 1ITLabs
  • jarjar Patron Provider, Top Host, Veteran

    Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.

    Thanked by 3grep uptime jsg
  • DPDP Administrator, The Domain Guy

    Sometimes it just reminds me to do it myself, on my servers and see what's up :)

    Thanked by 2uptime ehab
  • jackbjackb Member, Host Rep
    edited October 2019

    @jar said:
    Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.

    That was a positive thing but most portscanning isn't.

    Usually it's trying to break into a system for malicious use. If properly secured it's no biggie but still something to be conscious of.

    E.g. I've been able to pre-empt various DDoS attack vectors over the years by occasionally checking out what's getting flagged in terms of abnormal traffic. Usually the reflection vectors will find out before most targets.

    Thanked by 1AlwaysSkint
  • Researching or not, I consider port scanning a form of aggression. It's relatively simple to drop all traffic from source of port scan upon detection so all it can see is a closed box. That's why I did not bother to report. However, most of these are malicious scans based on the services they try to find, mostly microsoft-related stuff. I suspect they are zoombies PCs or VPS boxes.

    Thanked by 2Janevski AlwaysSkint
  • Those who scans most needs to be added to permanent block list. That's what I do. Sometimes.

  • rcxbrcxb Member
    edited October 2019

    The really bad actors do distributed port scanning, so you're less likely to notice it, and there's no individual IP address to block. Those just nmap'ing your node are probably pretty innocent and just saying "Hello". Sure, criminals might knock on your door, but far more often it's just nosy neighbors...

  • jbuggie said: I consider port scanning a form of aggression.

    It's sexual harassment.

  • Researching or not, I consider port scanning a form of aggression.

    You should probably stop using the Internet

  • I would unplug Ethernet cable from vps.

    Excuse me while I locate the port.

    Thanked by 1uptime
  • AlwaysSkintAlwaysSkint Member
    edited October 2019

    iptables -I INPUT 1 -s 185.xxx.xxx.0/24 ! -d 185.xxx.xxx.my_ip -m comment --comment "Noisy neighbours" -j INVDROP
    iptables -I INPUT 1 -s 185.xxx.xxx.255 ! -s 185.xxx.xxx.gateway_ip -m comment --comment "Noisy neighbours" -j INVDROP

    Replace INVDROP with REJECT, to double the internal network crud, until the provider wakes up and bans the feckers.

    Thanked by 1reikuzan
  • JordJord Moderator, Host Rep

    When someone portscans me, I portscan them right back. They soon get fed up.

    Thanked by 1AlwaysSkint
  • @Jord said:
    When someone portscans me, I portscan them right back. They soon get fed up.

    As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead! :wink:

  • JordJord Moderator, Host Rep

    @AlwaysSkint said:

    @Jord said:
    When someone portscans me, I portscan them right back. They soon get fed up.

    As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead! :wink:

    That's what makes it fun sir, someone is getting BANGED BANNED :D

  • @jbuggie said:
    All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.

    What's your take?

    If you can be sure about the correctness of those source IPs (for example, through TCP's 3-way handshake), you can report them. They are likely to be compromised computers. Reporting them lets the owners have a chance to clean up their computers.
    Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions

    Thanked by 1AlwaysSkint
  • @chihcherng said:
    Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions

    Brilliant! I can add this to my AWS blocks. Made my weekend. :)

  • jsgjsg Member, Resident Benchmarker
    edited October 2019

    What @jar said plus sometimes people do portscans to check out something in the "white sense" (e.g. verify that some ports are or are not open, check ones provider for a decent config/network, etc.) but most port scans are highly likely from grey to black scripts or (rarely) people.

    But: all of that doesn't matter and is the wrong perspective. The correct perspective is to realize that port scans are not illegal (for good technical reasons) and that they are a reality anyway, even if they were illegal.

    TL;DR Don't care, just be sure your config is sane and your system is set up properly.

    Thanked by 3jar dahartigan ralph
Sign In or Register to comment.