Highjo |
04-23-2014 04:43 AM |
How to react to psad scanning alert on a ubuntu server?
Hello Experts!
I am running an office web hosting(for office web sites and test) server on an ubuntu 12.04 LTS. I have some level of security measures. psad, fail2ban,no root ssh login, no ping, mod-security etc. I started having some psad alerts on daily basis from different hosts. I am wondering if there is something in particular I should worry about or that I should do.
alerts are of the example:
Code:
Danger level: [1] (out of 5)
Scanned UDP ports: [28950-28952: 3 packets, Nmap: -sU]
iptables chain: INPUT (prefix "[UFW BLOCK]"), 3 packets
Source: 37.115.20.153
DNS: 37-115-20-153-broadband.kyivstar.net
Destination: xxx.xxx.xxx.xxx
DNS: my.server.com
Overall scan start: Mon Mar 31 11:54:49 2014
Total email alerts: 1
Complete UDP range: [28950-28952]
Syslog hostname: loft4087
Global stats: chain: interface: TCP: UDP: ICMP:
INPUT eth0 0 5 0
[+] Whois Information (source IP):
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# "n 37.115.20.153"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=37.115.20.153?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 37.0.0.0 - 37.255.255.255
CIDR: 37.0.0.0/8
OriginAS:
NetName: RIPE-37
NetHandle: NET-37-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2010-11-30
Updated: 2011-01-17
Ref: http://whois.arin.net/rest/net/NET-37-0-0-0-1
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: http://whois.arin.net/rest/org/RIPE
ReferralServer: whois://whois.ripe.net:43
OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse@ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3850-ARIN
OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
Found a referral to whois.ripe.net:43.
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '37.115.0.0 - 37.115.63.255'
% Abuse contact for '37.115.0.0 - 37.115.63.255' is 'abuse@kyivstar.net'
inetnum: 37.115.0.0 - 37.115.63.255
netname: KYIVSTAR-NET-7
descr: Kyivstar GSM
descr: Ukrainian mobile phone operator
country: UA
admin-c: KSUA-RIPE
tech-c: KSUA-RIPE
status: ASSIGNED PA
mnt-by: KYIVSTAR-MNT
mnt-lower: KYIVSTAR-MNT
mnt-routes: KYIVSTAR-MNT
source: RIPE # Filtered
role: Kyivstar GSM
address: Degtyarevskaya, 53
address: Kiev, Ukraine
admin-c: AEL17-RIPE
tech-c: JEDI-RIPE
tech-c: AEL17-RIPE
nic-hdl: KSUA-RIPE
mnt-by: KYIVSTAR-MNT
source: RIPE # Filtered
% Information related to '37.115.0.0/16AS15895'
route: 37.115.0.0/16
descr: Kyivstar GSM, Kiev, Ukraine
origin: AS15895
mnt-by: KYIVSTAR-MNT
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.72 (DBC-WHOIS3)
Another One is :
Code:
Danger level: [2] (out of 5)
Scanned UDP ports: [28950: 1 packets, Nmap: -sU]
iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets
Source: 79.129.25.166
DNS: burn--net.static.otenet.gr
Destination: xxx.xxx.xxx.xxx
DNS: my.server.com
Overall scan start: Sun Mar 9 18:11:45 2014
Total email alerts: 10
Complete UDP range: [28950-28952]
Syslog hostname: loft4087
Global stats: chain: interface: TCP: UDP: ICMP:
INPUT eth0 0 19 0
Should I install denyhosts and block the IPs? There are actually some good amount of different IPs address
|