LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to react to psad scanning alert on a ubuntu server? (https://www.linuxquestions.org/questions/linux-security-4/how-to-react-to-psad-scanning-alert-on-a-ubuntu-server-4175502669/)

Highjo 04-23-2014 04:43 AM
How to react to psad scanning alert on a ubuntu server?
 
Hello Experts!

I am running an office web hosting(for office web sites and test) server on an ubuntu 12.04 LTS. I have some level of security measures. psad, fail2ban,no root ssh login, no ping, mod-security etc. I started having some psad alerts on daily basis from different hosts. I am wondering if there is something in particular I should worry about or that I should do.

alerts are of the example:

Code:

        Danger level: [1] (out of 5)

    Scanned UDP ports: [28950-28952: 3 packets, Nmap: -sU]
      iptables chain: INPUT (prefix "[UFW BLOCK]"), 3 packets

              Source: 37.115.20.153
                  DNS: 37-115-20-153-broadband.kyivstar.net

          Destination: xxx.xxx.xxx.xxx
                  DNS: my.server.com

  Overall scan start: Mon Mar 31 11:54:49 2014
  Total email alerts: 1
  Complete UDP range: [28950-28952]
      Syslog hostname: loft4087

        Global stats: chain:  interface:  TCP:  UDP:  ICMP:
                      INPUT    eth0        0      5      0

[+] Whois Information (source IP):

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#    "n 37.115.20.153"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=37.115.20.153?showDetails=true&showARIN=false&ext=netref2
#

NetRange:      37.0.0.0 - 37.255.255.255
CIDR:          37.0.0.0/8
OriginAS:
NetName:        RIPE-37
NetHandle:      NET-37-0-0-0-1
Parent:
NetType:        Allocated to RIPE NCC
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        2010-11-30
Updated:        2011-01-17
Ref:            http://whois.arin.net/rest/net/NET-37-0-0-0-1

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:          Amsterdam
StateProv:
PostalCode:    1001EB
Country:        NL
RegDate:
Updated:        2013-07-29
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:  Abuse Contact
OrgAbusePhone:  +31205354444
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName:  RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    http://whois.arin.net/rest/poc/RNO29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#



Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%      To receive output for a database update, use the "-B" flag.

% Information related to '37.115.0.0 - 37.115.63.255'

% Abuse contact for '37.115.0.0 - 37.115.63.255' is 'abuse@kyivstar.net'

inetnum:        37.115.0.0 - 37.115.63.255
netname:        KYIVSTAR-NET-7
descr:          Kyivstar GSM
descr:          Ukrainian mobile phone operator
country:        UA
admin-c:        KSUA-RIPE
tech-c:        KSUA-RIPE
status:        ASSIGNED PA
mnt-by:        KYIVSTAR-MNT
mnt-lower:      KYIVSTAR-MNT
mnt-routes:    KYIVSTAR-MNT
source:        RIPE # Filtered

role:          Kyivstar GSM
address:        Degtyarevskaya, 53
address:        Kiev, Ukraine
admin-c:        AEL17-RIPE
tech-c:        JEDI-RIPE
tech-c:        AEL17-RIPE
nic-hdl:        KSUA-RIPE
mnt-by:        KYIVSTAR-MNT
source:        RIPE # Filtered

% Information related to '37.115.0.0/16AS15895'

route:          37.115.0.0/16
descr:          Kyivstar GSM, Kiev, Ukraine
origin:        AS15895
mnt-by:        KYIVSTAR-MNT
source:        RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.72 (DBC-WHOIS3)

Another One is :

Code:


        Danger level: [2] (out of 5)

    Scanned UDP ports: [28950: 1 packets, Nmap: -sU]
      iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets

              Source: 79.129.25.166
                  DNS: burn--net.static.otenet.gr

          Destination: xxx.xxx.xxx.xxx
                  DNS: my.server.com

  Overall scan start: Sun Mar  9 18:11:45 2014
  Total email alerts: 10
  Complete UDP range: [28950-28952]
      Syslog hostname: loft4087

        Global stats: chain:  interface:  TCP:  UDP:  ICMP:
                      INPUT    eth0        0      19    0
Should I install denyhosts and block the IPs? There are actually some good amount of different IPs address

Matir 04-23-2014 09:27 AM
Most scans come from hosts that have been otherwise compromised, so blocking their IPs won't gain you much, you'll just be getting scanned from a different host in the future.

To be honest, I don't worry about scans at all -- they're just part of the background noise of the internet these days.


All times are GMT -5. The time now is 10:13 PM.