Just another day in paradise...
I captured from my Linode kernel log over about 20 seconds today. I have redacted my hostname and IP address. The spacing and annotations are mine. This is what port scanning looks like.
This is constant…24/7. I'm publishing this for the benefit of anyone who still thinks firewalls are too complicated and that they don't need one…
Source IP: Ukraine
Destination port: tcp/3380 (SNS Channels)
Although this is a well-known port, it's probably a portscan.
Jul 13 09:57:15 <redacted> kernel: [2907296.594825] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=92.63.197.70 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=46383 PROTO=TCP SPT=58354 DPT=3380 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Seychelles
Destination port: udp/53 (DNS)
Probably a dictionary attack.
Jul 13 09:57:15 <redacted> kernel: [2907296.892932] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=80.82.65.90 DST=<redacted> LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=22808 DF PROTO=UDP SPT=57313 DPT=53 LEN=44
Source IP: USA
Destination port: tcp/25 (SMTP)
The source a commercial mailing list operator probably engaged in spam.
Jul 13 09:57:19 <redacted> kernel: [2907300.194682] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:04:c5:a4:e8:4f:c1:08:00 SRC=148.105.15.151 DST=<redacted> LEN=60 TOS=0x08 PREC=0x40 TTL=53 ID=42178 DF PROTO=TCP SPT=10001 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Source IP: USA
Destination port: tcp/25 (SMTP)
The source a commercial mailing list operator probably engaged in spam.
Jul 13 09:57:19 <redacted> kernel: [2907300.198232] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=148.105.15.151 DST=<redacted> LEN=60 TOS=0x08 PREC=0x40 TTL=53 ID=37270 DF PROTO=TCP SPT=18176 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Source IP: Russia
Destination port: tcp/57370 (n/a)
This is a portscan attempt.
Jul 13 09:57:26 <redacted> kernel: [2907307.896809] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=92.63.196.8 DST=<redacted> LEN=40 TOS=0x08 PREC=0x20 TTL=237 ID=47609 PROTO=TCP SPT=49131 DPT=57370 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Bulgaria
Destination port: tcp/23423
Most likely a Russian portscan proxy.
Jul 13 09:57:32 <redacted> kernel: [2907313.862023] Blacklist IPv4 hosts-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:04:c5:a4:e8:4f:c1:08:00 SRC=185.176.27.170 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=46923 PROTO=TCP SPT=45380 DPT=23423 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Bulgaria
Destination port: tcp/23423
Most likely a Russian portscan proxy.
Jul 13 09:57:33 <redacted> kernel: [2907314.452983] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=45.145.66.5 DST=<redacted> LEN=40 TOS=0x00 PREC=0x20 TTL=246 ID=34162 PROTO=TCP SPT=45609 DPT=49406 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Netherlands
Destination port: tcp/8880
Port 8880 is often used as an alternate port for HTTP. Most likely this is a portscan attempt.
Jul 13 09:58:10 <redacted> kernel: [2907351.298728] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:04:c5:a4:e8:4f:c1:08:00 SRC=80.82.77.240 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=5837 PROTO=TCP SPT=64344 DPT=8880 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Netherlands
Destination port: tcp/14094
The physical address for this IP address is in Seychelles…a portscan attempt.
Jul 13 09:58:11 <redacted> kernel: [2907352.309444] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=103.253.115.17 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=53630 PROTO=TCP SPT=54421 DPT=14094 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Bulgaria
Destination port: tcp/41700
Most likely a Russian portscan proxy.
Jul 13 09:58:11 <redacted> kernel: [2907352.440770] Blacklist IPv4 hosts-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=185.176.27.218 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=2111 PROTO=TCP SPT=57200 DPT=41700 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Bulgaria
Destination port: tcp/3713 (TFTP over TLS)
Most likely a Russian portscan proxy.
Jul 13 09:58:13 <redacted> kernel: [2907354.255925] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:04:c5:a4:e8:4f:c1:08:00 SRC=87.251.74.180 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=31865 PROTO=TCP SPT=59384 DPT=3713 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Bulgaria
Destination port: tcp/1010 (SURF)
Most likely a Russian portscan proxy.
Jul 13 09:58:26 <redacted> kernel: [2907367.953871] Blacklist IPv4 hosts-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:04:c5:a4:e8:4f:c1:08:00 SRC=185.176.27.214 DST=<redacted> LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=3055 PROTO=TCP SPT=58911 DPT=1010 WINDOW=1024 RES=0x00 SYN URGP=0
Source IP: Russia
Destination port: udp/27136
This is a portscan attempt.
Jul 13 09:58:38 <redacted> kernel: [2907379.080331] Blacklist IPv4 nets-IN:IN=eth0 OUT= MAC=f2:3c:91:ce:35:e7:00:26:98:02:ab:c1:08:00 SRC=92.63.196.26 DST=<redacted> LEN=40 TOS=0x08 PREC=0x20 TTL=238 ID=23961 PROTO=TCP SPT=58422 DPT=27136 WINDOW=1024 RES=0x00 SYN URGP=0
-- sw
8 Replies
If you didn't have a firewall, how would these port scans on closed ports have affected your server?
The server would have accepted these packets and had to generate an error message in return -- taking resources away from the server's purpose.
In the case of mail, my mail server would have accepted the message and then had to generate a "user unknown" return to the sender or delivered the spam message…taking system resources for both cases and cognitive resources for the latter.
The biggest consequence would have been that the OPEN IP address & port pairs would have been broadcasted around the world about 100000 times in a millisecond and the my server would be brought to it's knees trying to service all the resulting bogus requests.
-- sw
If your server is configured properly, these regular port scans and brute-force attempts will not cause any degradation in performance. I have an original Raspberry Pi without any firewall and despite a few thousand login attempts per day, the load is minimal.
Just for clarification, firewalls are great and useful, but they're not needed for this inconsequential internet noise.
FWIW, this is more than just "closed ports"…this all comes from a blacklist. All traffic from each of the networks containing these IP addresses is completely blocked…even traffic to the open ports in the firewall (see ipset(8)).
I agree that this is mostly "internet noise" as you call it but my intent was to expose the newbies among us to the level of bad action out there…and the need to protect your system(s) from it -- because Linode does not do it for you.
-- sw
I cannot wait for the cloud firewalls for this reason - providing you configure them correctly, all this "internet noise" wouldn't even reach your server, saving even more processing effort.
This will leave your server free to handle good traffic and the detailed rules of traffic arriving on "allowed" ports, like your block-list of ill-reputed networks.
Yeah… Currently the blacklists weigh in at
56139 Unique IPv4 networks
110102 Unique IPv6 networks
167497 Unique IPv4 hosts
13 Unique IPv6 hosts
And, no, none of the hosts are members of any of the networks.
-- sw
I've noticed a dramatic slowdown in the amount of illicit port scanning and intrusion attempts from bad actors over the last couple of days. In particular, the dictionary attack(s) against port 22 on my FreeBSD Linode have stopped completely.
I haven't read anything in the news recently about any major 'bot-nets being taken out. Is anyone else having the same experience as me?
Maybe the attackers have just given up on trying to attack my FreeBSD node and have moved on to someone else…
@andysh ?
-- sw