23 May
2017
23 May
'17
6:51 a.m.
Several of the servers at work regularly see ping requests in the
hundred per second, and amprgw sees them as well. I have ping responses
throttled to 5 per second on most of my hosts in order to be a good
network neighbor. I log a lot of 'open port RST response' probes as well.
I assume these are partly just curious scanners looking for live hosts
in our network ranges, but a lot of them are probably requests with
forged/spoofed source addresses so as to attack other systems.
The thousands of failed attempts per day to log in as 'root' are also
annoying and pollute my log files. Many of these servers are used
legitimately by researchers all around the world, so it's not practical
to firewall them off from the outside world. I do have root logins
disabled, so even if the probers guess the right password, they can't
log in as root. And I use 'denyhosts' and 'fail2ban' to block the
probers, but there's always another one waiting to start.
During one hour yesterday that I looked at, according to the netflow data
for amprgw, as much as half of the inbound packets were DNS queries to
either of two hosts on the 44.44.7.224 subnet. There are up to hundreds of
these requests per second from many varied source addresses. Those two
hosts used to respond to the queries; they don't any more.
It's a hostile world out there.
- Brian
On Tue, May 23, 2017 at 06:40:54AM +0000, Ruben ON3RVH wrote:
Hey Ronen,
Unfortunately that is "normal" behaviour these days on the internet. Bots
scanning networks for ssh/telnet/sip to abuse and continue spreading.
It stops after a while from that particular IP when that IP gets blocked, but will then
continue from other IP's. That is how botnets workaround firewalls if one IP gets
blocked, they just retry from other hosts under their control..
It is best practice to firewall anything inbound that you don't need publicly
available from the internet..
Ruben - ON3RVH