New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Port Scans from Hostslick
I was browsing through my UFW logs this morning and noticed that I had hundreds of port scans coming from Hostslick's IP range. I went to look up their abuse contact information and came across "For Abuse Reports please see http://reportiphere.com". It has a link to be whitelisted, but is this legal?
Comments
They just add to the ports scans that are allowed from all the other providers. :-(
Hetzner, Aruba, OVH, Clouvider, et al.
I haven't come across a single provider that takes port scanning seriously, even though their ToS often mentions it as being prohibited.
UFW suggests Ubuntu on a server (why people use it beats me) - try replacing with CSF and block 'em all.
I think most provider don't care about port scanning, sure it can be classified as abuse.
But they normally got bigger abuse issues to worry about like phishing site and outgoing spam.
^ this.
If you don't want to be scanned run your servers in your LAN. The Internet is public and with that scans are to be expected and valid.
Nope.
Than maybe in your country it is not, but in mine it is and the goverment does it and sends you even reports if they find vulnerabilities
It used to be grounds for termination if a provider caught you port scanning.
What do you expect from a host that advertises on Nulled?
Excuse me, what are you saying?
Advertising on sites that promote nulled software is completely legal here. You can even distribute those nulled software here, it's also allowed.
We're the bad guys, not them.
(obvious /s, but the sad truth)
Quite funny that you say that
I'm not against HostSlick, but I think they went a bit far with the advertising here.
They are basically on every cracking forum.
Unless asked to do penetration testing, for example then there is no legitimate reason to scan, IMHumbleO.
Seems many people don't care that their logs get filled with this sort of crap:
[279212.793492] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=83.97.20.35 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=TCP SPT=57702 DPT=23023 WINDOW=65535 RES=0x00 SYN URGP=0
[279216.366523] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.86 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=52073 PROTO=TCP SPT=50326 DPT=1285 WINDOW=1024 RES=0x00 SYN URGP=0
[279225.045234] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=103.27.237.5 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=17310 PROTO=TCP SPT=52360 DPT=31362 WINDOW=1024 RES=0x00 SYN URGP=0
[279226.944482] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.83 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=65326 PROTO=TCP SPT=50399 DPT=7403 WINDOW=1024 RES=0x00 SYN URGP=0
[279231.187480] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=192.35.169.45 DST=45.156.23.x LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=46045 PROTO=TCP SPT=2929 DPT=340 WINDOW=1024 RES=0x00 SYN URGP=0
[279231.966655] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.86 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=62219 PROTO=TCP SPT=50326 DPT=1195 WINDOW=1024 RES=0x00 SYN URGP=0
[279242.808929] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=92.63.197.83 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=42690 PROTO=TCP SPT=50399 DPT=7405 WINDOW=1024 RES=0x00 SYN URGP=0
[279260.350832] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=fa:16:3e:67:01:84:fa:16:3e:dd:64:xx:08:00 SRC=77.252.18.186 DST=45.156.23.x LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=22032 PROTO=TCP SPT=52463 DPT=9426 WINDOW=1024 RES=0x00 SYN URGP=0
It does not seems to me like common port-scanning. Those destination port numbers (unless you changed them) are not assigned to any common services. What could be someone looking for there?
Link please..
DMing
Is there a connection between hostslick and hostslim? It is very odd that hostslick has the same company naming scheme as host slim "(first two of first name + first three of surname) + investments", this makes no sense unless they are very tightly related.
https://bgp.he.net/net/79.124.8.0/24#_whois
https://bgp.he.net/net/103.219.154.0/24#_whois
I receive many probes from this block too.
Hetzner is strict. They suspend your server when use for port scan.
I would avoid anything that comes out from Lelystad Media Tower. It's HostSlayer's new base, and the hosts are in too good relationship with eachother. Not worth the risk when there are so awesome products in Amsterdam.
Was just a small section and only one VPS - happens worldwide. Usually random ports trying to find ssh etc. Sometimes common Windoze/plex and other crap are scanned for.
Bollox! Why do you think I now have a specific Hetzner block? It's not up to intended victims to keep reporting scans - block at source, I say. It should be fairly trivial to detect port scanning by providers, if they were so inclined - especially when you see the frequency and range that are scanned.
Why would it be easy? It's a threshold problem and you'd need to know the customer and volume of traffic to know how to set those limits. A lot of work, a lot of false positives.
Yet, incoming is relatively simple > 12 ports accessed in 60 seconds and something is amiss.
Setting a high enough threshold would block a very large proportion of port scanners. An example, without any empirical testing might be 25 different outbound ports within 30 seconds, perhaps to more than 5 different IP addresses, for greater granularity.
Why are so many VMs allowed to blast the (virtual) NICs of neighbours, with broadcast packets? If they want to legitimately access their own neighbouring VMs they should be targeted packets. It's an inherent issue with Windoze and media services and one of the things I don't like about webmin (though at least that's a manual process).
Can you DM me as well? I don't see anything on HostSlick's site about this, so I'd like to state publicly whether this is legit or not.
There is no need for any DMs, you can literally google for this.
The problem is, there is absolutely no need to call anyone out on things like this, because there are way too many users here to defend their favourite hosts, whatever wrong they're doing.
Incoming to single IP is dead easy and targetted. Outgoing to different places over time is harder.
Just open a bit torrent connection and see hundreds of outgoing connections in seconds. You're not thinking of tons of valid use cases.
What neighborhood traffic is blasting broadcast packets? Are you talking about kbps of traffic? Stuff that is blocked by default in a public firewall? Without specifics, hard to know what you're referring to that is such a problem.
Might be useful to add @HostSlick to the pool
Just take a look at dmesg or grep /var/log/kernel.log, /var/log/messages for the .255 entries from your 'friendly' neighbours. Consuming resources just for the hell of it and filling up your logs.
(I end up creating a custom IPtables entry with INVDROP)
almost going to order there, fortunately not, i think the quality is similar to leaseweb
Done
Used to be less people out there doing research for security and statistics, which meant port scanning was by default more abusive. These days with cyber security being a highly coveted career path the landscape has changed dramatically, and a lot of these are research projects by students or organizations.
Yeah, I mean, you should ask yourself two questions: Does this bother you and, if so, why? Port scanning is so harmless, and running vulnerable software on public facing ports generally doesn't end in positive results just because some providers out there decide to terminate customers for port scanning.
Your problem there is logging all firewall traffic. That's a very opt-in scenario. I get it, but you signed up for that
Sometimes I feel like people are just bored and want things to be upset about. It never felt more true than 2020. Obsessively over monitoring results in over reporting and that's just the way of life. Getting less but more high quality logs/reports is really the way to go and then you won't find yourself knee deep in data for stuff that wasn't going to bring your server down or negatively impact any of your services. Unless you’re heavily parsing data for quick glances that you can narrow down as needed, I definitely recommend being more selective about the data kept. I argue that too much data is damaging if not heavily parsed, because it increases the chances of overlooking valuable data. I’ve noticed for quite a while that many in this community suffer from over reporting data and then feeling concerned about an excess of emails from LFD, etc. If your security is doing it’s job, you don’t need to know about every event that doesn’t require attention.
Free advertising for them, anyways