Help: Someone is scanning my server to try to find vulnerability and how to get rid of them
Posted by squirel_ai@reddit | linuxadmin | View on Reddit | 17 comments
Since the beginning of this month, I have someone trying to break into my server for unknow reason.
I have tried reporting their IP address mostly to Digital Ocean and tried to block some IP addresses but in vain.
These are the kind of logs I get:
- - [15/Oct/2024:14:02:21 +0000] "GET /jobs/job/40235391 HTTP/1.1" 200 6373 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"
[16/Oct/2024:02:57:50 +0000] "POST /HNAP1/ HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246"
- - [16/Oct/2024:09:00:37 +0000] "\x16\x03\x02\x01o\x01" 400 226 "-" "-"
- - [16/Oct/2024:09:37:54 +0000] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 196 "-" "Custom-AsyncHttpClient"
They also tried to brute force root login and many other exploits, mostly looking for PHP vulnerability. For root login, the server requires a private and public key. I don't even know if it is secure.
I doubt it is from these companies. Seem like someone got time and is trying to make me trust them.
Is there any way to block these kinds of scans from my server?
ramriot@reddit
fail2ban is a useful server command line tool here & can really help with blocking repeat offenders.
doomygloomytunes@reddit
You'll see this on any web server connectable on the Internet
circularjourney@reddit
If you can rate limit new TCP connections without impacting your users, that might be one option. You can do that with a line or two in nftables on the webserver or router.
michaelpaoli@reddit
Firewalls, Intrusion Protection System (IPS), fail2ban, disconnect from The Internet and all networks, etc.
squirel_ai@reddit (OP)
Thank you so much
WBRobot@reddit
Internet background radiation. Bots scouring for cracks to infiltrate.
NoUselessTech@reddit
First, it always helps to read the "logs". The user agent describing Palo Alto's practices is legitimate. If you don't want them to scan you, then you can let them know.
scaninfo@paloaltonetworks.com
As for the IP information, always interesting to look up IPs here:
https://www.abuseipdb.com
As for your system configuration, the best way you can control this is to control a firewall in front of your web server. If you don't have one, they aren't terribly difficult to configure for a simple block/allow list. This will drop the packets from any unwanted traffic before they hit your web server, and reduces your reliance on others to take down other services which may or may not be legitimate.
squirel_ai@reddit (OP)
I would have believed it until I saw on the same day, a similar log but from another company from Europe. I doubt it will help If I send the message. I have a firewall, blocked some but they have a range of IPs. It is a lot of IPs being used; I didn't think that people could buy range of IPs.
NoUselessTech@reddit
Buying IPs, concern over multiple hits a day, etc are showing you aren’t comfortable with how scanning works. And that’s Ok, but the world isn’t as bleak as the news makes it sound and you’ll need to accept that it’s likely the lowkey noise that’s always there. What you can control:
Your network stack. Your vulnerabilities. Your attack surface.
What you can’t control: - Every single security researcher - Commercial products that scan the world - Script kiddies
You don’t have to buy an IP to scan the world. For $200 on AWS the CEO of a security company scanned the entire US and mapped out vulnerabilities over a summer. Then you have services like Shodan which scan the world over multiple times for you.
megared17@reddit
Is it always the same IP address?
Or are they from all over?
If its always the same IP, you could nullroute that one IP.
If its from all over, there's not much you can do.
Obviously, make sure you keep everything secure and updated to make sure you have no vulnerabilities. And make sure you're not running any services or web based interfaces that you don't actually need and use.
The paloalto networks is a legit company - if you'd prefer they not scan your server email them like their notice said.
squirel_ai@reddit (OP)
Unfortunately, multiple IPs from different providers. they are all over. I have seen another message from another security company saying the same thing that I should email them, ON THE SAME DAY. I have seen today another web app link that they register on the 14th of October, so I doubt it is from these company
SkirtWitty5859@reddit
I have never used the digital ocean but you can look for rate limiting. This should help to some extent.
squirel_ai@reddit (OP)
Thank you
ojutan@reddit
It's a shark pool out there.
Hide the server behind a reverse proxy if it has to be accessible, patch it or dont put into internet at all. Once I created a server 2016 in Azure with a public IP address, forgot to restrict IP access with "my IP" (better my modem's IP) and it was cracked within 4 days. The Admin login was safe, the server patched then it was cracked with a zero day. Then it was mining something I dont know.
For gods seek it was only an Azure demo account, I immediately deleted the server, the virtual disks, everything because it is poisonous... the last time I saw a static IP trying to gain access to one of my systems was back in 2013, I reverse attacked that IP address and knocked the system off - it was a hacker in Vietnam so I dont care, and he possibly installed the system within 15 min again.
squirel_ai@reddit (OP)
Thank you so much, I might have to create a reverse proxy. It is funny that they have not managed to break into the server. I MIGHT believe in the idea of hack-as-a service rent being used now. I suspected it. They are not giving up.
megared17@reddit
I've been running a linux VPS for over 20 years, and before that an actual physical machine of my own as well as a dozen or more servers for a regional dialup ISP.
Being broken is NOT "inevitable" if you are careful and know WTF you are doing.
Hotshot55@reddit
That's what happens when you connect a device to the internet.