New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What you do with port scans
All of my VPS got a lot of port scan daily. As of now, the source IPs are just auto dropped and I got a daily report of these scans with complete WHOIS data but I don't normally do anything with them. I'm not sure if the time spent reporting them would do any good.
What's your take?
Comments
sometimes ... sometimes I scan their ports ...
Portscanning intensifies ...
Three Words ..... Yeti Hit Squad.
Nothing. Port scans should only bother you if you're scared that you've made a mistake, and you can check that anytime. Many of these are security researchers gathering metrics, and those metrics drive industry concerns. If you recall the big "OMG look how many people have redis on 0.0.0.0" freak out, it was because of port scans that we were able to know the depth of the problem, and that was a positive thing for us all to learn.
Sometimes it just reminds me to do it myself, on my servers and see what's up
That was a positive thing but most portscanning isn't.
Usually it's trying to break into a system for malicious use. If properly secured it's no biggie but still something to be conscious of.
E.g. I've been able to pre-empt various DDoS attack vectors over the years by occasionally checking out what's getting flagged in terms of abnormal traffic. Usually the reflection vectors will find out before most targets.
Researching or not, I consider port scanning a form of aggression. It's relatively simple to drop all traffic from source of port scan upon detection so all it can see is a closed box. That's why I did not bother to report. However, most of these are malicious scans based on the services they try to find, mostly microsoft-related stuff. I suspect they are zoombies PCs or VPS boxes.
Those who scans most needs to be added to permanent block list. That's what I do. Sometimes.
The really bad actors do distributed port scanning, so you're less likely to notice it, and there's no individual IP address to block. Those just nmap'ing your node are probably pretty innocent and just saying "Hello". Sure, criminals might knock on your door, but far more often it's just nosy neighbors...
It's sexual harassment.
You should probably stop using the Internet
I would unplug Ethernet cable from vps.
Excuse me while I locate the port.
Replace INVDROP with REJECT, to double the internal network crud, until the provider wakes up and bans the feckers.
When someone portscans me, I portscan them right back. They soon get fed up.
As per REJECT, serves the same purpose. Do unto them as they do to you - though likely you will get banned instead!
That's what makes it fun sir, someone is getting BANGED BANNED
If you can be sure about the correctness of those source IPs (for example, through TCP's 3-way handshake), you can report them. They are likely to be compromised computers. Reporting them lets the owners have a chance to clean up their computers.
Some security researchers do perform port scanning, but you won't know that if you don't report them first. That's how I got to know the IPs used by BinaryEdge could be found at https://api.binaryedge.io/v1/minions
Brilliant! I can add this to my AWS blocks. Made my weekend.
What @jar said plus sometimes people do portscans to check out something in the "white sense" (e.g. verify that some ports are or are not open, check ones provider for a decent config/network, etc.) but most port scans are highly likely from grey to black scripts or (rarely) people.
But: all of that doesn't matter and is the wrong perspective. The correct perspective is to realize that port scans are not illegal (for good technical reasons) and that they are a reality anyway, even if they were illegal.
TL;DR Don't care, just be sure your config is sane and your system is set up properly.