Server log spammed with blocked requests
When I check my log my writing tail -f /var/log/syslog
i see that i have alot of request coming in. looks to me like some heavy port scanning. but this has been going on for months, so my logs are huge and my fail2ban blocks are several thousand.
this is a sample live log (note i restarted the sshd service as you can see):
<img alt="Alt text" src="https://photos.app.goo.gl/qhfWxWZwGmQUZXpa8">
link to terminal picture https://photos.app.goo.gl/qhfWxWZwGmQUZXpa8
What is going on here?
as you can see i get an occational error message: "Server returned error NXDOMAIN, mitigating potential dns violation…"
Maybe this has something to do with it?
I have really no clue as to what is going on here and my linux admin skills are at a beginner level. Is this normal behaviour? my site is not a heavy traffic site, only a login portal is exposed to the public. All incoming traffic is blocked with ufw except for ssh, http and https and i have fail2ban running too.
3 Replies
Greetings @aprikosmarmelade,
These are typical events you are seeing in the logs. Every public facing IP address is scanned by mal-actors, security researchers, governments and other parties. It sounds like you have your server well secured already though. You can go over the steps in our Securing your Server guide to make sure. To further harden the Linode, you could use public key authentication.
To stop the log files from getting too large, I'd recommend using logrotate.
I hope that helps.
-Preston
thanks for the replies! I'm worried that my server is already compromised because i didn't use fail2ban the first three months after the server went live. i did use ufw, but i had not turned off logging in as root.
How would i know if someone has access to the server (i know it's diffucult to know for sure)? when i see current network services with the "ss -atpu" command, i see that there are other established connections other than mine using ssh. if i deny their ip with ufw some new one will appear. what could this be?
maybe i'm turning a bit paranoid? haha. Most likely i will create a new linode and use the security practices i now know, but i have production running apps on it so it could be a problem(too much work)