Script to find out if Linode IP addresses scanning my servers
Folks:
I had asked a question earlier about attempts to get past my ufw firewalls on my Linodes and you mentioned that Google and AOS may not care if I report them.
What about if other Linode instances are hitting my firewalls? Are you folks interested to know if other Linodes are testing my firewalls?
If so, can Linode provide a script that I can run on my logs to determine if any other Linode owned IP's are hitting my Linodes?
And if I see any, do I just mention them here in the forum?
Thank you
Mark Allyn
3 Replies
What about if other Linode instances are hitting my firewalls? Are you folks interested to know if other Linodes are testing my firewalls?
You don't care if anyone is "hitting" your firewalls…you only care if they get in…or attempt to get in (like an ssh login failure). Denial of a packet by your firewall happens thousands of times a second. Most of that is worthless information…except to tell you the firewall is doing it's job.
If so, can Linode provide a script that I can run on my logs to determine if any other Linode owned IP's are hitting my Linodes?
You can do this with fail2ban. Whenever fail2ban gets a "hit" on an extraordinary event, lookup the IP address to see if it's a member of any network in AS63949 (and don't forget IPv6). You'll have to be careful to cache stuff appropriately so that you don't slow down fail2ban unnecessarily (because it's already incredibly slow). You'll need some python3 expertise to accomplish this.
Alternatively, you can write a cron job to scan the fail2ban database to look for these things after the ban has occurred. This would be far easier. The fail2ban database is a fairly simple SQLite database that should have all the info you need to file a support ticket (incl the log entry that triggered the ban). There's lots of support in any language you care to mention for SQLite.
And if I see any, do I just mention them here in the forum?
File a support ticket about them. You'll need the log entries that triggered the fail2ban action to support your claim.
-- sw
Hey Mark! I totally hear you on wanting to prevent others from reaching your Linode. It's sad to say that there are people (or bots!) who scan the inter-webs for vulnerable IP addresses, but it's the reality we face.
Linode itself doesn't provide any scripts to customers that you can run, but you're more than welcome to build and run something of this nature on your system - so as long as it aligns with Linode's Terms of Service.
I like to recommend securing and hardening access to your server as much as possible. I myself find Linode's Securing Your Server and fail2ban guides to be really helpful here. It sounds like you already have UFW enabled, but for anyone else reading this reply, you can find more about UFW here.
Cheers,
Eric
Thank you!
Just to let you know, on all of my systems, I do the following:
- SSH is on a non standard port (not port 22)
- UFW blocks all ports except for my non standard SSH port and http and https ports. My email server has all blocked except for non standard ssh; smtp; pop3; and imap; all others blocked.
If I am working on a system (currently my email server and my icecast server; I keep them powered down while un-attended.
Mark