psad sending interesting/puzzling reports
I recently installed psad (among other things) and have been getting an overwhelming amount of email reports from it. I'm kind of new to this stuff but having been trying to get caught up with what I don't know. My question is, should I be worried or merely annoyed by these? Here are some examples of port scanning and whatnot coming from Linode IPs.
> =-=-=-=-=-=-=-=-=-=-=-= Thu Sep 4 21:31:48 2014 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [1] (out of 5)
Scanned UDP ports: [2963-37715: 2 packets, Nmap: -sU]
iptables chain: INPUT, 2 packets
Source: 109.74.193.20
DNS: resolver2.london.linode.com
Destination: 151.236.218.67
DNS: puuska.tuuli.info
Overall scan start: Wed Sep 3 00:05:33 2014
Total email alerts: 1
Complete UDP range: [2963-55081]
Syslog hostname: puuska
Global stats: chain: interface: TCP: UDP: ICMP:
INPUT eth0 0 5 0
[+] Whois Information (source IP):
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See
http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '109.74.192.0 - 109.74.199.255'
% Abuse contact for '109.74.192.0 - 109.74.199.255' is '
abuse@linode.com 'inetnum: 109.74.192.0 - 109.74.199.255
netname: LINODE-UK
descr: Linode, LLC
country: GB
admin-c: TA2589-RIPE
tech-c: TA2589-RIPE
tech-c: LA538-RIPE
remarks: This block is used for static customer allocations
remarks: Please send abuse reports to
abuse@linode.com status: ASSIGNED PA
mnt-by: Linode-mnt
mnt-domains: Linode-mnt
source: RIPE # Filtered
person: Linode Abuse Support
address: 329 E. Jimmie Leeds Road, Suite A, Galloway, NJ 08205, USA
phone: +16093807100
abuse-mailbox:
abuse@linode.com nic-hdl: LA538-RIPE
mnt-by: Linode-mnt
source: RIPE # Filtered
person: Thomas Asaro
address: 329 E. Jimmie Leeds Road, Suite A, Galloway, NJ 08205, USA
phone: +16095937103
nic-hdl: TA2589-RIPE
mnt-by: Linode-mnt
source: RIPE # Filtered
% Information related to '109.74.192.0/20AS15830'
route: 109.74.192.0/20
descr: Linode-1
origin: AS15830
mnt-by: Linode-mnt
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.75 (DB-4)
=-=-=-=-=-=-=-=-=-=-=-= Thu Sep 4 21:31:48 2014 =-=-=-=-=-=-=-=-=-=-=-=
> =-=-=-=-=-=-=-=-=-=-=-= Thu Sep 4 23:02:57 2014 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [4] (out of 5)
Source: 2a01:7e00:0000:0000:8678:acff:fe0d:8f41
DNS: [No reverse dns info available]
Destination: ff02:0000:0000:0000:0000:0001:ff69:edd5
DNS: [No reverse dns info available]
Overall scan start: Mon Sep 1 13:14:02 2014
Total email alerts: 3415
Syslog hostname: puuska
Global stats: chain: interface: TCP: UDP: ICMP:
INPUT eth0 0 0 0
[+] Whois Information (source IP):
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See
http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '2a01:7e00::/32'
% Abuse contact for '2a01:7e00::/32' is '
abuse@linode.com 'inet6num: 2a01:7e00::/32
netname: EU-LINODE-201100201
descr: Linode, LLC
country: GB
org: ORG-LL72-RIPE
admin-c: TA2589-RIPE
tech-c: TA2589-RIPE
status: ALLOCATED-BY-RIR
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: Linode-mnt
mnt-routes: Linode-mnt
source: RIPE # Filtered
organisation: ORG-LL72-RIPE
org-name: Linode, LLC
org-type: LIR
address: Linode, LLC
address: Thomas Asaro
address: 329 E. Jimmie Leeds Road
Suite A
address: 08205
address: Galloway
address: UNITED STATES
phone: +16095937103
fax-no: +16152504945
abuse-mailbox:
abuse@linode.com mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: Linode-mnt
mnt-by: RIPE-NCC-HM-MNT
admin-c: AF11785-RIPE
admin-c: TA2589-RIPE
admin-c: NP2924-RIPE
abuse-c: LAS85-RIPE
source: RIPE # Filtered
person: Thomas Asaro
address: 329 E. Jimmie Leeds Road, Suite A, Galloway, NJ 08205, USA
phone: +16095937103
nic-hdl: TA2589-RIPE
mnt-by: Linode-mnt
source: RIPE # Filtered
% Information related to '2a01:7e00::/32AS15830'
route6: 2a01:7e00::/32
descr: Linode-v6
origin: AS15830
mnt-by: Linode-mnt
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.75 (DB-4)
=-=-=-=-=-=-=-=-=-=-=-= Thu Sep 4 23:02:57 2014 =-=-=-=-=-=-=-=-=-=-=-=
That second one has something to do with IPv6 neighbour solicitation. Now, I'm thinking that it isn't an attack although I did read something about this solicitation as a potential exploit but I don't know because it didn't make much sense since I was half-asleep at the time. Then, the first one is a bit weird because it is coming from resolver2.london.linode.com and is a UDP scan. Why would this server be scanning my UDP ports? Maybe I'm just being paranoid with all the NSA stuff going on. I'm also getting scans from Russia, from some University or something. Those bloody Russians want to conquer the world and Finland is probably next. Then again, my server is in London. Oh well! I'm just being paranoid, which is probably healthy nowadays. Heh! I hope that I can just let out a sigh of relief and carry on using Linode to host my personal mail server etc. Damn, I have so much respect for professional system admins now!
3 Replies
@tuuli:
Damn, I have so much respect for professional system admins now!
:lol:
The trick is to not use utilities like this. What are you going to do with this information? Call the Russians and tell them to stop trying to reach you over the Internet? Besides, it looks like each of these notifications is for something already blocked by your firewall.
The first one you pasted is probably from DNS responses: you did a DNS query, and you got a response, perhaps much later than expected.
The second one is some sort of multicast traffic. I can't tell what, but it's probably harmless.
@hoopycat:
The trick is to not use utilities like this.
Right. What do you suggest I do then?
