Linode Forum :: someone scanning my ports

Linode Forum https://forum.linode.com/

someone scanning my ports https://forum.linode.com/viewtopic.php?f=19&t=7034	Page 1 of 1

Author:	BipBop [ Thu Apr 28, 2011 6:59 pm ]
Post subject:	someone scanning my ports
Hello guys, I am a new Linode user and need a little help in analyzing my iptables log. Yesterday (April 27) I setup iptables on my linode and decided to leave the linode running to see if the firewall would pick up any action. Today I looked at my log and looks like someone was scanning my ports. Even though the source ip is different, all the packets are originating from the same mac address and are targeted towards some common ports like 22, 135, 8080 etc. What would be a good way to deal with these scans? A program that can add rules to iptables to block requests originating from a particular nic or ip? The timing of these attacks/scans is really spread out also so.. I doubt I can capture them using some time limit. Any help appreciated.

Author:	vonskippy [ Thu Apr 28, 2011 7:04 pm ]
Post subject:
Welcome to the internet, don't lose sleep over random port scans, it's a very common event.

Author:	BipBop [ Thu Apr 28, 2011 7:09 pm ]
Post subject:
haha no no i am not losing sleep over it. But would be cool to know if the scanning user does turn malicious if it can be dealt with dynamically and all his packets get dropped by my firewall or he gets added to a ignore list or something. I mean his packets are being dropped right now.. but if he tries something different.

Author:	hoopycat [ Thu Apr 28, 2011 8:44 pm ]
Post subject:	Re: someone scanning my ports
BipBop wrote: Even though the source ip is different, all the packets are originating from the same mac address and are targeted towards some common ports like 22, 135, 8080 etc. That's the MAC address of the router between the Internet and you. MAC addresses are only used to identify entities within the same local area network (in the Linode architecture, a /24 subnet). Anything beyond there will (hopefully) have the MAC address of a router. (Edit: Also, there is no "someone" or "the scanning user"; there's probably hundreds of thousands, if not millions, of computers out there which are doing this continuously in an attempt to bring your computer into their collective. Anthropomorphizing this activity into that of "some guy" is not a good way to think about it.)

Author:	BipBop [ Thu Apr 28, 2011 9:12 pm ]
Post subject:
Thank you for that nugget of knowledge hoopycat. My networking knowledge is rudimentary at best.. so I really appreciate that. I knew I would learn a slew of new things trying to run/maintain my own VPS.

Author:	hoopycat [ Thu Apr 28, 2011 9:50 pm ]
Post subject:
No problem. It's a lot of fun, and there's plenty to learn, especially with networking stuff in general. The Internet isn't magic, but the fact that it actually works is magic -rt

Author:	eld101 [ Fri Apr 29, 2011 9:51 am ]
Post subject:
You can install something like OSSEC, which scans your logs and can notify you of port scans, brute force attempts, etc...

Author:	eld101 [ Fri Apr 29, 2011 3:13 pm ]
Post subject:
eld101 wrote: You can install something like OSSEC, which scans your logs and can notify you of port scans, brute force attempts, etc... I forgot to mention it can also automatically block the suspect IP for a given amount of time. I think default is 5 minutes.

Author:	haus [ Sat Apr 30, 2011 9:44 pm ]
Post subject:
CSF/LFD is another option, a favorite of mine. It will detect portscanning and login failures for various services and temporarily or permanently block them. Also, while it's not "security", moving services like SSH to higher port numbers will cut down on failed login entries, since they will be less likely to hit the right port.

Author:	eld101 [ Sun May 01, 2011 10:34 am ]
Post subject:
Just found a guide to install ossec. Its specifically for Centos, but im sure it will work for several others.... http://www.securecentos.com/extra-secur ... all-ossec/

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/