31
j0n4s
2y

Fuck all these "researchers" that port scan the shit out of my servers

Comments
  • 9
    Chinese "Researchers"
  • 0
    @zlice link?
  • 9
    My server is for personal use only, so I went into Cloudflare's WAF and blocked all IPs from outside my home country so they can't even resolve the hostname. Cut failed login attempts by like 90% at least. They can still find it by IP but most don't bother.

    Although it was kind of fun watching the log files to spot the many attempts to hit /wp-admin on my static website.
  • 0
    @EmberQuill but this works only when proxied through cloudflare right?
  • 2
    @jonas-w I used Cloudflare but @zlice has a good solution too with ban lists.

    My problem was that I had so many connection attempts that they were ddosing my server. Had to catch most of them before they hit my tiny underpowered VPS. Cloudflare WAF worked in that case, since the domain was proxied.
  • 0
    Thanks!
  • 0
    Adding that list yields to a netlink error with "no buffer space available"....

    searching the internet doesn't show up anything interesting and the debug output just puts out a segfault wow
  • 1
    @zlice okay have blocked some. Let's see how many "researchers" wan't to do research in my territory
  • 1
    @zlice true... such bullshit. Just want to have a server that exists and only get's requests from me and not from some random datacenters that feel lonely and try to contact other servers....

    I'm currently thinking about blocking the whole

    34.128.0.0 - 34.191.255.255

    range, those are all the google cloud customers ip's and i've gotten some "requests" from them.
  • 4
    Don't bother, let em scan. If you did your work, there shouldn't be a weakness for them to be found.
  • 2
    @Oktokolo passwords are secure enough > 30 characters and ssh only via key and only the ports i need are opened. But i'm still paranoid as fuck haha
  • 3
    You guys ever heard of fail2ban ? No? You should look into that.
    Also check the devsec-hardening.io inspec profiles. Ssh-baseline will do wonders.
  • 3
    @jonas-w Just remember that port scans are part of the normal background noise. No need to be anxious when putting a helpless machine containing valuable data ripe to be plucked by anyone who likes to on the evil internet...
  • 1
    @NeatNerdPrime fail2ban isn't useful when passwords/keys aren't weak. It also had RCEs in the past while normally running as root...
  • 1
    @NeatNerdPrime have it up and running on my machine but the thing is the port scanning doesn't happen from one IP but from a whole subnet. Also the bruteforcing of passwords isn't from one IP. So fail2ban is pretty useless in that scenario
  • 2
    everyday I get a request like this.

    "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com" its just a random bot scanning the internet.
  • 2
    Give 'em something to chew on (from my nginx reverse proxy) after they conquered your geoblocking:

    A classical zip bomb:

    location ~* \.php(/|$) {

    root /etc/nginx/analyze_THIS;

    try_files $uri /10G.php;

    types { text/html php; }

    add_header Expires "Wed, 11 Jan 1984 05:00:00 GMT";

    add_header Content-Encoding gzip;

    }

    analyze_THIS is a 10GB binary file having all bytes 0x00.
  • 0
    @jaydee101 and the scanning will massive reduce.
  • 1
    @yukiinothekid well wordpress is the biggest vulnerable thing out there its the low hanging fruit haha. But the funniest thing was ssh honeypot which is a fake ssh shell that logs what the attacker writes into the "shell" and the stuff that they try to execute is absolutely weird
  • 0
    @yukiinothekid serve a 10GB gzip bomb under those wp-* path and they won't bother you again.
Add Comment