amuck-landowner

Hardening my server / Reality check

MartinD

Retired Staff
Verified Provider
Retired Staff
Who knows with the Chinese. They may have found a few targets that responded on those ports for a certain service so now they're scanning everything/anything to try and get a hit.

I stopped trying to figure out "Why" when it comes to the Chinese and I now settle on "because China".
 

HalfEatenPie

The Irrational One
Retired Staff
I'm too lazy to check myself, but maybe take a look at this: https://www.us-cert.gov/ncas/bulletins/SB14-335

Could be a recently vulnerability it was testing for.  

But honestly, what MartinD said is right.  "Because China".  

Most of the malicious traffic I get from my servers are also from China.  Second highest though is the United States (lol).  
 

fixidixi

Active Member
[..]

Most of the malicious traffic I get from my servers are also from China.  Second highest though is the United States (lol).  
B) Thats a good one..

Thats a lie! There are only angels living in the US! Even the servers (which anyone can rent by the way) are spreading democarcy :).
 
Last edited by a moderator:

HalfEatenPie

The Irrational One
Retired Staff
B) Thats a good one..

Thats a lie! There are only angels living in the US! Even the servers (which anyone can rent by the way) are spreading democarcy :).
You know what.  It's not malicious traffic from the US.  It's FREEDOM TRAFFIC.  READY TO LIBERATE MY SERVER IN THE NAME OF DEMOCRACY!

WHERE'S AN ASSAULT RIFLE WHEN YOU NEED IT?  HOO RAH!  
 

drmike

100% Tier-1 Gogent
You know what.  It's not malicious traffic from the US.  It's FREEDOM TRAFFIC.  READY TO LIBERATE MY SERVER IN THE NAME OF DEMOCRACY!

WHERE'S AN ASSAULT RIFLE WHEN YOU NEED IT?  HOO RAH!  
Oh, the US can gladly liberate your data with a bunker buster or some heat seeking missiles aimed at your datacenter.
 

stim

New Member
The Yanks don't bother me - even if they are No. 2. The Brits even less.

China is way out in the lead with 63%. What a waste.
 

EnveraHost

New Member
I would suggest whitelisting your IP's, a few remote ones too such as a private VPN just to make sure you still retain access.
 

stim

New Member
I would suggest whitelisting your IP's, a few remote ones too such as a private VPN just to make sure you still retain access.

This is what I will do eventually.

However just observing has proved useful and informative. Nearly 50% of blocks are from a single Chinese subnet.

I've also been having fun with the geolocation data. I reported some idetifiable misdemeanors to Hosting companies and they all took action, fair play to them.

I'm also pretty sure there is a government facility in St Louis. They don't seem bothered about hiding themsleves. Wankers.
 

rampro

New Member
Most of the Chinese probes are originating from Chinese made Digital Video Recorders.  Even if these  probes originate from US/UK/Mexico/Thailand/Hong Kong, they are from Chinese made DVRs[SIZE=14.3999996185303px] [/SIZE]installed there. 

[SIZE=14.3999996185303px]In some cases, these probes originate from ADSL Modems. [/SIZE]

[SIZE=14.3999996185303px]The embedded software in these devices has SDK port opened to accept dynamic updates, through which the handlers are making the probes.[/SIZE]

[SIZE=14.3999996185303px]In most cases the equipment owners are innocents who kept opened their devices to the Internet.[/SIZE]

[SIZE=14.3999996185303px]There seems to be a coordinated execution by the firmware creators/exploiters.[/SIZE]
 
Last edited by a moderator:

winnervps

New Member
Verified Provider
In WHM/Cpanel, there is a CSF script that could fetch IP addresses from SPAMcop, etc. (in the lfd.blocklist)

In securing a server, is anybody willing to create such script (at github probably)? or similiar script to fetch such databases and inject into our IPTABLES block list? Thanks *just an idea/or there were already there*
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
In WHM/Cpanel, there is a CSF script that could fetch IP addresses from SPAMcop, etc. (in the lfd.blocklist)

In securing a server, is anybody willing to create such script (at github probably)? or similiar script to fetch such databases and inject into our IPTABLES block list? Thanks *just an idea/or there were already there*
What is in the lfd.blocklist for sources ???  Post those if you can.
 
Top
amuck-landowner