blah.members.linode.com browsing my forum

those guests seem like there connections coming from fellow linoders.. so i guess there are a few possible reasons.

1. Theyre using their linode to surf your forum

2. Their linode has been compromised and its scanning yours.

3. Its a TOR exit node or something simular and your visiters are coming from them..

Or a combination of the above :)

#1 isn't such a strange case, BTW. Many people set up a proxy or VPN on their Linode for when they have to use some insecure hotel WiFi or whatever. (Or to get around Hulu/BBC location restrictions!)

(I'm doing it right now, but I don't use the default rDNS. :P)

i dunno. i reckon its pretty suss that a full 1/3 of my visitors are using linode. especially considering they were not prior to me moving to linode.

By any chance do you have a private ip? I've seen nodes on various vps providers scan the private network.

i have no idea whether i have a private ip, so probably not :)

i am thinking to give all *.members.linode.com a 403.

I wouldn't bother if someone was that interested in causing you trouble they can just sign up else where.

You're better off installing something like fail2ban http://library.linode.com/security/fail2ban/

i have ssh locked down already. im not really worried about this from a security standpoint, im more annoyed about what is happening to my stats logging and whatnot.

What user agent are they using? What pages are they hitting? It's tough to speculate without more information. I'd say it's weird behavior, and I haven't seen it happen before.