Thanks, I'll check it out. 6 hits a second over more than 24 hours is well
over the top, what ever their excuse
On Tue, 9 Apr 2019 at 14:55, Ryan Bibby <r.bibby@???> wrote:
> Hi Keith
>
> Stanford University you say?
>
> At work I had some suspicious traffic from some Stanford University
> addresses. I contacted there abuse contact and it turned out they host a
> commercial vulnerability scanning service. In my case they had a legitimate
> contract to do this, but the message had not reached me.
>
> It's possible that in your case it's the same tool rather than students,
> so it may be worth contacting them to find out why they are scanning your
> services.
>
> Best wishes
>
> Ryan
>
> On Tue, 9 Apr 2019, 04:45 Keith Williams, <keithwilliamsnp@???>
> wrote:
>
>> No questions, just a bit of spleen venting.
>> Having been on a little break to deepest province where internet is very
>> poor, I came back to find my vps under a lot of attacks.
>> Firstly once or twice a day a website was going down for upto 5 minutes a
>> day. Sorted that. Fail2ban was not running for some reason (again sorted by
>> reinstalling from Debian backports) Found that known spamming IPs were
>> hitting it hard but also were hitting at virtual hosts that no longer exist
>> - Apache then redirects to the default virtual host. All sorts of thing
>> then happening including SSL timeouts etc.. Fail2ban, adding a daily
>> updated set of addresses from a content spammer blacklist to the firewall
>> and removing A and AAAA records where possible from Bind for those old
>> domains. ( I had to leave some like weirdname.exmple.com as they are
>> used by other systems such as honeytraps etc) all seemed to bring that very
>> much under control. Some were looking for URLs that have not existed for a
>> long long time.
>> Hours of perusing debug logs and tracking IPs via Google persuaded me to
>> reinstall something I have not used in a while.
>> My SSH is quite safe, I use a different port, don't allow password sign
>> on etc. So there is nothing listening on port 22.
>> So set up that any attempt there, the IP gets added to a naughtyboy set
>> then is logged and dropped. Any future visits by that IP to any port,
>> logged and dropped. Bit like F2B but this is more of a permaban.
>> Within seconds there were half a dozen IPs in the set. All in the same
>> /21 CIDR block. The logs show them coming back up to twice a second each
>> for at least 24 hours now. They go for ports 22.23.53, 80, 443 and 7777.
>> That last one is particularly nasty. They have each done a couple of pings
>> (blocked of course) The group of 3 IPs all are registered to Stanford
>> University, So probably some students
>>
>> Keith
>>
>> _______________________________________________
>> users mailing list
>> users@???
>> https://lists.bitfolk.com/mailman/listinfo/users
>>
>
