Hardening my server / Reality check

[MartinD]

Who knows with the Chinese. They may have found a few targets that responded on those ports for a certain service so now they're scanning everything/anything to try and get a hit.

I stopped trying to figure out "Why" when it comes to the Chinese and I now settle on "because China".

 

[Jasson.Pass]

http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf

 

[HalfEatenPie]

I'm too lazy to check myself, but maybe take a look at this: https://www.us-cert.gov/ncas/bulletins/SB14-335

Could be a recently vulnerability it was testing for.  

But honestly, what MartinD said is right.  "Because China".  

Most of the malicious traffic I get from my servers are also from China.  Second highest though is the United States (lol).  

 

[fixidixi]

[..]

Most of the malicious traffic I get from my servers are also from China.  Second highest though is the United States (lol).  

B) Thats a good one..

Thats a lie! There are only angels living in the US! Even the servers (which anyone can rent by the way) are spreading democarcy .

 

[HalfEatenPie]

B) Thats a good one..

Thats a lie! There are only angels living in the US! Even the servers (which anyone can rent by the way) are spreading democarcy .

You know what.  It's not malicious traffic from the US.  It's FREEDOM TRAFFIC.  READY TO LIBERATE MY SERVER IN THE NAME OF DEMOCRACY!

WHERE'S AN ASSAULT RIFLE WHEN YOU NEED IT?  HOO RAH!  

 

[drmike]

You know what.  It's not malicious traffic from the US.  It's FREEDOM TRAFFIC.  READY TO LIBERATE MY SERVER IN THE NAME OF DEMOCRACY!

WHERE'S AN ASSAULT RIFLE WHEN YOU NEED IT?  HOO RAH!  

Oh, the US can gladly liberate your data with a bunker buster or some heat seeking missiles aimed at your datacenter.

 

[stim]

The Yanks don't bother me - even if they are No. 2. The Brits even less.

China is way out in the lead with 63%. What a waste.

 

[EnveraHost]

I would suggest whitelisting your IP's, a few remote ones too such as a private VPN just to make sure you still retain access.

 

[stim]

I would suggest whitelisting your IP's, a few remote ones too such as a private VPN just to make sure you still retain access.

This is what I will do eventually.

However just observing has proved useful and informative. Nearly 50% of blocks are from a single Chinese subnet.

I've also been having fun with the geolocation data. I reported some idetifiable misdemeanors to Hosting companies and they all took action, fair play to them.

I'm also pretty sure there is a government facility in St Louis. They don't seem bothered about hiding themsleves. Wankers.

 

[Serveo]

I stopped trying to figure out "Why" when it comes to the Chinese and I now settle on "because China".

Information is king (-;

@stim why don't you use something like fail2ban?

 

[rampro]

Most of the Chinese probes are originating from Chinese made Digital Video Recorders.  Even if these  probes originate from US/UK/Mexico/Thailand/Hong Kong, they are from Chinese made DVRs[SIZE=14.3999996185303px] [/SIZE]installed there. 

[SIZE=14.3999996185303px]In some cases, these probes originate from ADSL Modems. [/SIZE]

[SIZE=14.3999996185303px]The embedded software in these devices has SDK port opened to accept dynamic updates, through which the handlers are making the probes.[/SIZE]

[SIZE=14.3999996185303px]In most cases the equipment owners are innocents who kept opened their devices to the Internet.[/SIZE]

[SIZE=14.3999996185303px]There seems to be a coordinated execution by the firmware creators/exploiters.[/SIZE]

 

[winnervps]

In WHM/Cpanel, there is a CSF script that could fetch IP addresses from SPAMcop, etc. (in the lfd.blocklist)

In securing a server, is anybody willing to create such script (at github probably)? or similiar script to fetch such databases and inject into our IPTABLES block list? Thanks *just an idea/or there were already there*

 

[drmike]

In WHM/Cpanel, there is a CSF script that could fetch IP addresses from SPAMcop, etc. (in the lfd.blocklist)

In securing a server, is anybody willing to create such script (at github probably)? or similiar script to fetch such databases and inject into our IPTABLES block list? Thanks *just an idea/or there were already there*

What is in the lfd.blocklist for sources ???  Post those if you can.

 

[souen]

9064 looks like a common proxy port. Not sure about the other one.