someone scanning my ports

Welcome to the internet, don't lose sleep over random port scans, it's a very common event.

haha no no i am not losing sleep over it. But would be cool to know if the scanning user does turn malicious if it can be dealt with dynamically and all his packets get dropped by my firewall or he gets added to a ignore list or something. :)

I mean his packets are being dropped right now.. but if he tries something different.

@BipBop:

Even though the source ip is different, all the packets are originating from the same mac address and are targeted towards some common ports like 22, 135, 8080 etc.

That's the MAC address of the router between the Internet and you. MAC addresses are only used to identify entities within the same local area network (in the Linode architecture, a /24 subnet). Anything beyond there will (hopefully) have the MAC address of a router.

(Edit: Also, there is no "someone" or "the scanning user"; there's probably hundreds of thousands, if not millions, of computers out there which are doing this continuously in an attempt to bring your computer into their collective. Anthropomorphizing this activity into that of "some guy" is not a good way to think about it.)

Thank you for that nugget of knowledge hoopycat. My networking knowledge is rudimentary at best.. so I really appreciate that. I knew I would learn a slew of new things trying to run/maintain my own VPS. :)

No problem. It's a lot of fun, and there's plenty to learn, especially with networking stuff in general. The Internet isn't magic, but the fact that it actually works is magic :-) -rt

You can install something like OSSEC, which scans your logs and can notify you of port scans, brute force attempts, etc…

@eld101:

You can install something like OSSEC, which scans your logs and can notify you of port scans, brute force attempts, etc…

I forgot to mention it can also automatically block the suspect IP for a given amount of time. I think default is 5 minutes.

CSF/LFD is another option, a favorite of mine. It will detect portscanning and login failures for various services and temporarily or permanently block them.

Also, while it's not "security", moving services like SSH to higher port numbers will cut down on failed login entries, since they will be less likely to hit the right port.

Just found a guide to install ossec. Its specifically for Centos, but im sure it will work for several others….

http://www.securecentos.com/extra-secur … all-ossec/">http://www.securecentos.com/extra-security/install-ossec/

getting the same issue someone is scanning my ports

Just want to add my 2 cents.
Had experienced this at my previous company. Would notice a ton of random scans on a brand new public ip or domain linked to a vm.

It's scary how quickly they (bots i assume) discover your newly registered domain and start scanning for open ports.

I also noticed once they found an open port, like 22, 80 or 21, they start fairly soon to attempt logins with "default" known usernames. root, admin websitename-admin, wpadmin etc…

its fun to watch actually.
i used to spend 30min bi-daily to check ossec for such activity and add them to blacklist on physical firewall :)

Usually the port scanning continues from another IP in same region once previous one is blocked

Yea, it's scary/fascinating how quickly bots will probe and try to exploit detected vulnerabilities on new systems.

We routinely recommend running through the Secure Your Server guide to help protect against intrusion attempts, including configuring a firewall quickly after you've spun up your Linode. Initial security configurations are also common in StackScripts for this reason.

It's also helpful to test your security by examining your Linode's listening processes with sudo ss -plutn and/or running external scans on your own systems with a tool such as nmap — I often refer to this cheatsheet for my own testing.