Thanks, I'll check it out. 6 hits a second over more than 24 hours is well
over the top, what ever their excuse
On Tue, 9 Apr 2019 at 14:55, Ryan Bibby <r.bibby(a)gmail.com> wrote:
Hi Keith
Stanford University you say?
At work I had some suspicious traffic from some Stanford University
addresses. I contacted there abuse contact and it turned out they host a
commercial vulnerability scanning service. In my case they had a legitimate
contract to do this, but the message had not reached me.
It's possible that in your case it's the same tool rather than students,
so it may be worth contacting them to find out why they are scanning your
services.
Best wishes
Ryan
On Tue, 9 Apr 2019, 04:45 Keith Williams, <keithwilliamsnp(a)gmail.com>
wrote:
No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is very
poor, I came back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5 minutes a
day. Sorted that. Fail2ban was not running for some reason (again sorted by
reinstalling from Debian backports) Found that known spamming IPs were
hitting it hard but also were hitting at virtual hosts that no longer exist
- Apache then redirects to the default virtual host. All sorts of thing
then happening including SSL timeouts etc.. Fail2ban, adding a daily
updated set of addresses from a content spammer blacklist to the firewall
and removing A and AAAA records where possible from Bind for those old
domains. ( I had to leave some like
weirdname.exmple.com as they are
used by other systems such as honeytraps etc) all seemed to bring that very
much under control. Some were looking for URLs that have not existed for a
long long time.
Hours of perusing debug logs and tracking IPs via Google persuaded me to
reinstall something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password sign
on etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy set
then is logged and dropped. Any future visits by that IP to any port,
logged and dropped. Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the same
/21 CIDR block. The logs show them coming back up to twice a second each
for at least 24 hours now. They go for ports 22.23.53, 80, 443 and 7777.
That last one is particularly nasty. They have each done a couple of pings
(blocked of course) The group of 3 IPs all are registered to Stanford
University, So probably some students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users