Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Do you freak out over port scans?
New on LowEndTalk? Please Register and read our Community Rules.

Do you freak out over port scans?

raindog308raindog308 Administrator

When I setup a VPS (or reinstall) I always do a port scan from another just to sure there are no ports open that I'm not expecting.

I had an idea to do a script that port scanned once a night, and then reported any diffs.

Someone told me this isn't a good idea, because some providers would see that as an attack.

To be clear, I'm port scanning from one VPS I rent to another, though the provider might not be able to know that, and doing it on a daily frequency (maybe).

I realize I could ask the individual provider(s) but I was curious what the community/general provider attitude here is.

Thanked by 1emg

Comments

  • ehabehab Member
    edited January 2016

    maybe once a week is fine! but how about the otheeway around. within the vps you check the open/listening ports using a cronjob if there is a diff then just post/email to you for attention.

    ps. not a provider

  • AnthonySmithAnthonySmith Member
    edited January 2016

    I would not care at all, port scanning is not a big deal on servers/IP's in your control, the issue starts when you start port scanning entire /24's+

  • jarjar Member, Patron Provider

    Not even a little :)

    Thanked by 1HostingSpecialists
  • nmap -sL -n 0.0.0.0/0

  • 0xdragon said: nmap -sL -n 0.0.0.0/0

    That wouldn't produce any network activity at all. Do you even know how the software works?

    Thanked by 3GCat Mark_R Amitz
  • Scanning is not illegal and not really questionable either if we put an analogy IRL - Knocking on other doors and seeing if someone responds is annoying but not illegal (in most countries, at least here in AT & DE). It's one catch you sign up with getting a dedicated IP natively routed to your server without any FW/NAT.

  • Simply no. Unless clients on our side begins amp scan, that's somewhat trigger my alarm often.

    But as @ehab said, put a cornjob then diff is fine for yourself's sake, to do less work.
    2016 is a new automation year for you dude.

  • @kcaj said:
    That wouldn't produce any network activity at all. Do you even know how the software works?

    Yes, I know. It just lists all the possible IPs in the IPv4 address space. That was part of the joke... Oh whatever.

  • Can't see it being a problem.

    The only people that get upset are those numpties that tail -f syslog, see a port scan, and start firing off abuse emails that they are "under attack".

  • Always ask before scanning your ports, i saw few providers from DE blocking accounts without re-fund etc.. netstat can give you open ports anyway no need for more.

  • ZEROF said: i saw few providers from DE blocking accounts without re-fund

    Blocking accounts without refund for occasional receive of a port scan to an ip? Those providers should not be used. If they kick out a client for this, imagine the other reasons they can use to kick out a client...

    Thanked by 1HostingSpecialists
  • @jvnadr I can only agree with you, but reality is something else, check https://nmap.org/book/legal-issues.html, from 2008 few friends and clients moved their business from Germany and England because of that.

    Thanked by 1jvnadr
  • raindog308raindog308 Administrator

    ehab said: within the vps you check the open/listening ports using a cronjob if there is a diff then just post/email to you for attention.

    I have a couple things where there's an external firewall in between that may translate public-facing port to what hits the box (e.g., Azure). Usually I make them the same but...something I'd want to add to my nightly checks :-)

  • emgemg Member
    edited January 2016

    No. I do not freak out when I see random port scans on my systems. I do not like them either. I cannot think of any legitimate justification for an outsider to run a broad port scan against any of my systems, unless invited by me or possibly my provider, who should have sent prior notice to me first.

    I said "broad port scan" to eliminate those who might be performing narrow searches for services that are clearly intended for use by the general public, such as HTTP, HTTPS, and FTP. If someone is scanning ports generally intended for private connections (example: port 3389 for Windows Remote Desktop) or scanning random unregistered ports, I assume that they are up to no good.

    Sure, it could be a valid researcher gathering information about how many systems offer certain services or are exposed to a certain vulnerability. Those types of scans are narrowly focused and very very rare. I assume that the vast majority of port scans that I come to my systems are attackers probing for vulnerabilities.

    I do not send cease and desist notices to anyone who port scans one of my systems. It is a waste of time.

    I run broad port scans from time to time, but only on systems or networks where I have explicit prior authorization.

    Some of my VPS providers prohibit port scans in their acceptable use policies or terms of service. I used to ask for permission by opening a ticket with the provider first, and let them know that it was specific to a few systems where I have explicit permission. They always said OK. Now I don't bother because I felt it was a nuisance to the provider. I wish they would say "unauthorized port scans" in their AUPs and ToSs to make it more clear.

    I like @raindog308's idea of automating port scans as security measure.

  • How do providers detect port scans? How would I, as a VPS operator, detect one?

    I do run a daily OpenVAS (nessus) deep vulnerability scan on all my VPs servers, and some other sytems. (Which does actually try exploits). Never received a complaint.

  • NyrNyr Member, Community Contributor
    edited January 2016

    I couldn't care less about getting port scanned. And it would happen anyway even if I did care, so...

    @Raymii said:
    How do providers detect port scans?

    Providers don't care if you scan some of your servers, but many will do if you scan large parts of the Internet and some (stupid) networks send them abuse email.

    @ZEROF said:
    Always ask before scanning your ports, i saw few providers from DE blocking accounts without re-fund etc..

    It was me with the old brand of Dedify which name I don't remember. But I scanned some large subnets, not my personal servers.

  • @lifehome said:
    But as ehab said, put a cornjob then diff is fine for yourself's sake, to do less work.

    Sounds tasty

    Thanked by 2Infinity lifehome
  • raindog308raindog308 Administrator

    Raymii said: How do providers detect port scans? How would I, as a VPS operator, detect one?

    Pretty sure CSF or one of the standard firewalls can pick this up at the host level. It's certainly possible in iptables.

  • I always do:
    netstat -taupen

  • @Anna_Parker said:
    I always do:
    netstat -taupen

    I prefer netstat -plunt easier to remember :P You just don't get Inode or User ID.

  • IkoulaIkoula Member, Host Rep

    Hello,

    To me if your port scan does not eat all your badnwidth there is no problem, if you still have a doubt you can contact your provider's support and ask them.

    As said by Anna_Parker and ATHK you can also use netstat, maybe you could setup a cron that produce a netstat result sent by mail.

  • emgemg Member

    I just found this T-shirt design and wanted to share:

    https://www.zerodayclothing.com/products/portscanning/portscanning.php

    image

    Thanked by 1Amitz
  • Rookie question but is there a service / script that can be run that would alert ( email ) the server admin should a port scan be detected. I was reading up on PSAD but not sure if that ticks all the boxes.

  • Any idea why tcp/udp 56409 are so popular with people scanning online.net subnets? there's been a lot noise on my dedibox lately but I have nothing listening on those ports.

Sign In or Register to comment.