Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Port Scans from Hostslick
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Port Scans from Hostslick

I was browsing through my UFW logs this morning and noticed that I had hundreds of port scans coming from Hostslick's IP range. I went to look up their abuse contact information and came across "For Abuse Reports please see http://reportiphere.com". It has a link to be whitelisted, but is this legal?

«1

Comments

  • AlwaysSkintAlwaysSkint Member
    edited September 2020

    They just add to the ports scans that are allowed from all the other providers. :-( :-1:
    Hetzner, Aruba, OVH, Clouvider, et al.
    I haven't come across a single provider that takes port scanning seriously, even though their ToS often mentions it as being prohibited.

    UFW suggests Ubuntu on a server (why people use it beats me) - try replacing with CSF and block 'em all.

    Thanked by 1themew
  • I think most provider don't care about port scanning, sure it can be classified as abuse.

    But they normally got bigger abuse issues to worry about like phishing site and outgoing spam.

    Thanked by 1coreflux
  • ^ this.

  • user54321user54321 Member
    edited September 2020

    If you don't want to be scanned run your servers in your LAN. The Internet is public and with that scans are to be expected and valid.

  • @user54321 said: and valid

    Nope.

    Thanked by 1maverickp
  • @AlwaysSkint said:

    @user54321 said: and valid

    Nope.

    Than maybe in your country it is not, but in mine it is and the goverment does it and sends you even reports if they find vulnerabilities

  • It used to be grounds for termination if a provider caught you port scanning.

  • What do you expect from a host that advertises on Nulled?

  • @Moofie said: What do you expect from a host that advertises on Nulled?

    Excuse me, what are you saying?

    Advertising on sites that promote nulled software is completely legal here. You can even distribute those nulled software here, it's also allowed.

    We're the bad guys, not them.

    (obvious /s, but the sad truth)

    Thanked by 2Moofie zafouhar
  • @SCAM_DONT_BUY said:

    @Moofie said: What do you expect from a host that advertises on Nulled?

    Excuse me, what are you saying?

    Advertising on sites that promote nulled software is completely legal here. You can even distribute those nulled software here, it's also allowed.

    We're the bad guys, not them.

    (obvious /s, but the sad truth)

    Quite funny that you say that
    I'm not against HostSlick, but I think they went a bit far with the advertising here.
    They are basically on every cracking forum.

  • Unless asked to do penetration testing, for example then there is no legitimate reason to scan, IMHumbleO.
    Seems many people don't care that their logs get filled with this sort of crap:

    [279212.793492] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=83.97.20.35 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=TCP SPT=57702 DPT=23023 WINDOW=65535 RES=0x00 SYN URGP=0
    [279216.366523] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.86 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=52073 PROTO=TCP SPT=50326 DPT=1285 WINDOW=1024 RES=0x00 SYN URGP=0
    [279225.045234] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=103.27.237.5 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=17310 PROTO=TCP SPT=52360 DPT=31362 WINDOW=1024 RES=0x00 SYN URGP=0
    [279226.944482] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.83 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=65326 PROTO=TCP SPT=50399 DPT=7403 WINDOW=1024 RES=0x00 SYN URGP=0
    [279231.187480] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=192.35.169.45 DST=45.156.23.x LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=46045 PROTO=TCP SPT=2929 DPT=340 WINDOW=1024 RES=0x00 SYN URGP=0
    [279231.966655] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.86 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=62219 PROTO=TCP SPT=50326 DPT=1195 WINDOW=1024 RES=0x00 SYN URGP=0
    [279242.808929] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.83 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=42690 PROTO=TCP SPT=50399 DPT=7405 WINDOW=1024 RES=0x00 SYN URGP=0
    [279260.350832] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=77.252.18.186 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=22032 PROTO=TCP SPT=52463 DPT=9426 WINDOW=1024 RES=0x00 SYN URGP=0

  • It does not seems to me like common port-scanning. Those destination port numbers (unless you changed them) are not assigned to any common services. What could be someone looking for there?

  • @Moofie said:

    @SCAM_DONT_BUY said:

    @Moofie said: What do you expect from a host that advertises on Nulled?

    Excuse me, what are you saying?

    Advertising on sites that promote nulled software is completely legal here. You can even distribute those nulled software here, it's also allowed.

    We're the bad guys, not them.

    (obvious /s, but the sad truth)

    Quite funny that you say that
    I'm not against HostSlick, but I think they went a bit far with the advertising here.
    They are basically on every cracking forum.

    Link please..

  • @chocolateshirt said:

    @Moofie said:

    @SCAM_DONT_BUY said:

    @Moofie said: What do you expect from a host that advertises on Nulled?

    Excuse me, what are you saying?

    Advertising on sites that promote nulled software is completely legal here. You can even distribute those nulled software here, it's also allowed.

    We're the bad guys, not them.

    (obvious /s, but the sad truth)

    Quite funny that you say that
    I'm not against HostSlick, but I think they went a bit far with the advertising here.
    They are basically on every cracking forum.

    Link please..

    DMing

    Thanked by 1chocolateshirt
  • Is there a connection between hostslick and hostslim? It is very odd that hostslick has the same company naming scheme as host slim "(first two of first name + first three of surname) + investments", this makes no sense unless they are very tightly related.

    https://bgp.he.net/net/79.124.8.0/24#_whois

    https://bgp.he.net/net/103.219.154.0/24#_whois

    I receive many probes from this block too.

  • dragon1993dragon1993 Member
    edited September 2020

    @AlwaysSkint said:
    They just add to the ports scans that are allowed from all the other providers. :-( :-1:
    Hetzner, Aruba, OVH, Clouvider, et al.
    I haven't come across a single provider that takes port scanning seriously, even though their ToS often mentions it as being prohibited.

    UFW suggests Ubuntu on a server (why people use it beats me) - try replacing with CSF and block 'em all.

    Hetzner is strict. They suspend your server when use for port scan.

  • @1606234 said: they are very tightly related.

    I would avoid anything that comes out from Lelystad Media Tower. It's HostSlayer's new base, and the hosts are in too good relationship with eachother. Not worth the risk when there are so awesome products in Amsterdam.

  • @Jarry said: What could be someone looking for there?

    Was just a small section and only one VPS - happens worldwide. Usually random ports trying to find ssh etc. Sometimes common Windoze/plex and other crap are scanned for.

  • @dragon1993 said: Hetzner is strict

    Bollox! Why do you think I now have a specific Hetzner block? It's not up to intended victims to keep reporting scans - block at source, I say. It should be fairly trivial to detect port scanning by providers, if they were so inclined - especially when you see the frequency and range that are scanned.

  • @AlwaysSkint said:

    @dragon1993 said: Hetzner is strict

    Bollox! Why do you think I now have a specific Hetzner block? It's not up to intended victims to keep reporting scans - block at source, I say. It should be fairly trivial to detect port scanning by providers, if they were so inclined - especially when you see the frequency and range that are scanned.

    Why would it be easy? It's a threshold problem and you'd need to know the customer and volume of traffic to know how to set those limits. A lot of work, a lot of false positives.

  • AlwaysSkintAlwaysSkint Member
    edited September 2020

    @TimboJones said: It's a threshold problem and you'd need to know the customer and volume of traffic to know how to set those limits. A lot of work, a lot of false positives.

    Yet, incoming is relatively simple > 12 ports accessed in 60 seconds and something is amiss.
    Setting a high enough threshold would block a very large proportion of port scanners. An example, without any empirical testing might be 25 different outbound ports within 30 seconds, perhaps to more than 5 different IP addresses, for greater granularity.
    Why are so many VMs allowed to blast the (virtual) NICs of neighbours, with broadcast packets? If they want to legitimately access their own neighbouring VMs they should be targeted packets. It's an inherent issue with Windoze and media services and one of the things I don't like about webmin (though at least that's a manual process).

  • raindog308raindog308 Administrator, Veteran

    @Moofie said: DMing

    Can you DM me as well? I don't see anything on HostSlick's site about this, so I'd like to state publicly whether this is legit or not.

    Thanked by 2AlwaysSkint afn
  • @raindog308 said: Can you DM me as well? I don't see anything on HostSlick's site about this, so I'd like to state publicly whether this is legit or not.

    There is no need for any DMs, you can literally google for this.

    The problem is, there is absolutely no need to call anyone out on things like this, because there are way too many users here to defend their favourite hosts, whatever wrong they're doing.

    Thanked by 1AlwaysSkint
  • @AlwaysSkint said:

    @TimboJones said: It's a threshold problem and you'd need to know the customer and volume of traffic to know how to set those limits. A lot of work, a lot of false positives.

    Yet, incoming is relatively simple > 12 ports accessed in 60 seconds and something is amiss.
    Setting a high enough threshold would block a very large proportion of port scanners. An example, without any empirical testing might be 25 different outbound ports within 30 seconds, perhaps to more than 5 different IP addresses, for greater granularity.
    Why are so many VMs allowed to blast the (virtual) NICs of neighbours, with broadcast packets? If they want to legitimately access their own neighbouring VMs they should be targeted packets. It's an inherent issue with Windoze and media services and one of the things I don't like about webmin (though at least that's a manual process).

    Incoming to single IP is dead easy and targetted. Outgoing to different places over time is harder.

    Just open a bit torrent connection and see hundreds of outgoing connections in seconds. You're not thinking of tons of valid use cases.

    What neighborhood traffic is blasting broadcast packets? Are you talking about kbps of traffic? Stuff that is blocked by default in a public firewall? Without specifics, hard to know what you're referring to that is such a problem.

  • Might be useful to add @HostSlick to the pool

    Thanked by 1Shamli
  • AlwaysSkintAlwaysSkint Member
    edited September 2020

    Just take a look at dmesg or grep /var/log/kernel.log, /var/log/messages for the .255 entries from your 'friendly' neighbours. Consuming resources just for the hell of it and filling up your logs.
    (I end up creating a custom IPtables entry with INVDROP)

  • almost going to order there, fortunately not, i think the quality is similar to leaseweb

  • @raindog308 said:

    @Moofie said: DMing

    Can you DM me as well? I don't see anything on HostSlick's site about this, so I'd like to state publicly whether this is legit or not.

    Done :)

  • jarjar Patron Provider, Top Host, Veteran
    edited September 2020

    @Xenos said:
    It used to be grounds for termination if a provider caught you port scanning.

    Used to be less people out there doing research for security and statistics, which meant port scanning was by default more abusive. These days with cyber security being a highly coveted career path the landscape has changed dramatically, and a lot of these are research projects by students or organizations.

    @Xenos said: but is this legal?

    Yeah, I mean, you should ask yourself two questions: Does this bother you and, if so, why? Port scanning is so harmless, and running vulnerable software on public facing ports generally doesn't end in positive results just because some providers out there decide to terminate customers for port scanning.

    @AlwaysSkint said: Seems many people don't care that their logs get filled with this sort of crap

    Your problem there is logging all firewall traffic. That's a very opt-in scenario. I get it, but you signed up for that :joy:

    Sometimes I feel like people are just bored and want things to be upset about. It never felt more true than 2020. Obsessively over monitoring results in over reporting and that's just the way of life. Getting less but more high quality logs/reports is really the way to go and then you won't find yourself knee deep in data for stuff that wasn't going to bring your server down or negatively impact any of your services. Unless you’re heavily parsing data for quick glances that you can narrow down as needed, I definitely recommend being more selective about the data kept. I argue that too much data is damaging if not heavily parsed, because it increases the chances of overlooking valuable data. I’ve noticed for quite a while that many in this community suffer from over reporting data and then feeling concerned about an excess of emails from LFD, etc. If your security is doing it’s job, you don’t need to know about every event that doesn’t require attention.

  • Free advertising for them, anyways

Sign In or Register to comment.