New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do you freak out over port scans?
raindog308
Administrator, Veteran
in General
When I setup a VPS (or reinstall) I always do a port scan from another just to sure there are no ports open that I'm not expecting.
I had an idea to do a script that port scanned once a night, and then reported any diffs.
Someone told me this isn't a good idea, because some providers would see that as an attack.
To be clear, I'm port scanning from one VPS I rent to another, though the provider might not be able to know that, and doing it on a daily frequency (maybe).
I realize I could ask the individual provider(s) but I was curious what the community/general provider attitude here is.
Thanked by 1emg
Comments
maybe once a week is fine! but how about the otheeway around. within the vps you check the open/listening ports using a cronjob if there is a diff then just post/email to you for attention.
ps. not a provider
I would not care at all, port scanning is not a big deal on servers/IP's in your control, the issue starts when you start port scanning entire /24's+
Not even a little
nmap -sL -n 0.0.0.0/0
That wouldn't produce any network activity at all. Do you even know how the software works?
Scanning is not illegal and not really questionable either if we put an analogy IRL - Knocking on other doors and seeing if someone responds is annoying but not illegal (in most countries, at least here in AT & DE). It's one catch you sign up with getting a dedicated IP natively routed to your server without any FW/NAT.
Simply no. Unless clients on our side begins amp scan, that's somewhat trigger my alarm often.
But as @ehab said, put a cornjob then diff is fine for yourself's sake, to do less work.
2016 is a new automation year for you dude.
Yes, I know. It just lists all the possible IPs in the IPv4 address space. That was part of the joke... Oh whatever.
Can't see it being a problem.
The only people that get upset are those numpties that tail -f syslog, see a port scan, and start firing off abuse emails that they are "under attack".
Always ask before scanning your ports, i saw few providers from DE blocking accounts without re-fund etc.. netstat can give you open ports anyway no need for more.
Blocking accounts without refund for occasional receive of a port scan to an ip? Those providers should not be used. If they kick out a client for this, imagine the other reasons they can use to kick out a client...
@jvnadr I can only agree with you, but reality is something else, check https://nmap.org/book/legal-issues.html, from 2008 few friends and clients moved their business from Germany and England because of that.
I have a couple things where there's an external firewall in between that may translate public-facing port to what hits the box (e.g., Azure). Usually I make them the same but...something I'd want to add to my nightly checks :-)
No. I do not freak out when I see random port scans on my systems. I do not like them either. I cannot think of any legitimate justification for an outsider to run a broad port scan against any of my systems, unless invited by me or possibly my provider, who should have sent prior notice to me first.
I said "broad port scan" to eliminate those who might be performing narrow searches for services that are clearly intended for use by the general public, such as HTTP, HTTPS, and FTP. If someone is scanning ports generally intended for private connections (example: port 3389 for Windows Remote Desktop) or scanning random unregistered ports, I assume that they are up to no good.
Sure, it could be a valid researcher gathering information about how many systems offer certain services or are exposed to a certain vulnerability. Those types of scans are narrowly focused and very very rare. I assume that the vast majority of port scans that I come to my systems are attackers probing for vulnerabilities.
I do not send cease and desist notices to anyone who port scans one of my systems. It is a waste of time.
I run broad port scans from time to time, but only on systems or networks where I have explicit prior authorization.
Some of my VPS providers prohibit port scans in their acceptable use policies or terms of service. I used to ask for permission by opening a ticket with the provider first, and let them know that it was specific to a few systems where I have explicit permission. They always said OK. Now I don't bother because I felt it was a nuisance to the provider. I wish they would say "unauthorized port scans" in their AUPs and ToSs to make it more clear.
I like @raindog308's idea of automating port scans as security measure.
How do providers detect port scans? How would I, as a VPS operator, detect one?
I do run a daily OpenVAS (nessus) deep vulnerability scan on all my VPs servers, and some other sytems. (Which does actually try exploits). Never received a complaint.
I couldn't care less about getting port scanned. And it would happen anyway even if I did care, so...
Providers don't care if you scan some of your servers, but many will do if you scan large parts of the Internet and some (stupid) networks send them abuse email.
It was me with the old brand of Dedify which name I don't remember. But I scanned some large subnets, not my personal servers.
Sounds tasty
Pretty sure CSF or one of the standard firewalls can pick this up at the host level. It's certainly possible in iptables.
I always do:
netstat -taupen
I prefer
netstat -plunt
easier to remember :P You just don't get Inode or User ID.Hello,
To me if your port scan does not eat all your badnwidth there is no problem, if you still have a doubt you can contact your provider's support and ask them.
As said by Anna_Parker and ATHK you can also use netstat, maybe you could setup a cron that produce a netstat result sent by mail.
I just found this T-shirt design and wanted to share:
https://www.zerodayclothing.com/products/portscanning/portscanning.php
Rookie question but is there a service / script that can be run that would alert ( email ) the server admin should a port scan be detected. I was reading up on PSAD but not sure if that ticks all the boxes.
Any idea why tcp/udp 56409 are so popular with people scanning online.net subnets? there's been a lot noise on my dedibox lately but I have nothing listening on those ports.