LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-23-2014, 05:43 AM   #1
Highjo
Member
 
Registered: Jan 2007
Posts: 36

Rep: Reputation: 0
How to react to psad scanning alert on a ubuntu server?


Hello Experts!

I am running an office web hosting(for office web sites and test) server on an ubuntu 12.04 LTS. I have some level of security measures. psad, fail2ban,no root ssh login, no ping, mod-security etc. I started having some psad alerts on daily basis from different hosts. I am wondering if there is something in particular I should worry about or that I should do.

alerts are of the example:

Code:
         Danger level: [1] (out of 5)

    Scanned UDP ports: [28950-28952: 3 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW BLOCK]"), 3 packets

               Source: 37.115.20.153
                  DNS: 37-115-20-153-broadband.kyivstar.net

          Destination: xxx.xxx.xxx.xxx
                  DNS: my.server.com

   Overall scan start: Mon Mar 31 11:54:49 2014
   Total email alerts: 1
   Complete UDP range: [28950-28952]
      Syslog hostname: loft4087

         Global stats: chain:   interface:   TCP:   UDP:   ICMP:
                       INPUT    eth0         0      5      0

[+] Whois Information (source IP):

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 37.115.20.153"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=37.115.20.153?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       37.0.0.0 - 37.255.255.255
CIDR:           37.0.0.0/8
OriginAS:
NetName:        RIPE-37
NetHandle:      NET-37-0-0-0-1
Parent:
NetType:        Allocated to RIPE NCC
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        2010-11-30
Updated:        2011-01-17
Ref:            http://whois.arin.net/rest/net/NET-37-0-0-0-1

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:
PostalCode:     1001EB
Country:        NL
RegDate:
Updated:        2013-07-29
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    http://whois.arin.net/rest/poc/RNO29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#



Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '37.115.0.0 - 37.115.63.255'

% Abuse contact for '37.115.0.0 - 37.115.63.255' is 'abuse@kyivstar.net'

inetnum:        37.115.0.0 - 37.115.63.255
netname:        KYIVSTAR-NET-7
descr:          Kyivstar GSM
descr:          Ukrainian mobile phone operator
country:        UA
admin-c:        KSUA-RIPE
tech-c:         KSUA-RIPE
status:         ASSIGNED PA
mnt-by:         KYIVSTAR-MNT
mnt-lower:      KYIVSTAR-MNT
mnt-routes:     KYIVSTAR-MNT
source:         RIPE # Filtered

role:           Kyivstar GSM
address:        Degtyarevskaya, 53
address:        Kiev, Ukraine
admin-c:        AEL17-RIPE
tech-c:         JEDI-RIPE
tech-c:         AEL17-RIPE
nic-hdl:        KSUA-RIPE
mnt-by:         KYIVSTAR-MNT
source:         RIPE # Filtered

% Information related to '37.115.0.0/16AS15895'

route:          37.115.0.0/16
descr:          Kyivstar GSM, Kiev, Ukraine
origin:         AS15895
mnt-by:         KYIVSTAR-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.72 (DBC-WHOIS3)

Another One is :

Code:

         Danger level: [2] (out of 5)

    Scanned UDP ports: [28950: 1 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets

               Source: 79.129.25.166
                  DNS: burn--net.static.otenet.gr

          Destination: xxx.xxx.xxx.xxx
                  DNS: my.server.com

   Overall scan start: Sun Mar  9 18:11:45 2014
   Total email alerts: 10
   Complete UDP range: [28950-28952]
      Syslog hostname: loft4087

         Global stats: chain:   interface:   TCP:   UDP:   ICMP:
                       INPUT    eth0         0      19     0
Should I install denyhosts and block the IPs? There are actually some good amount of different IPs address

Last edited by Highjo; 04-23-2014 at 05:45 AM.
 
Old 04-23-2014, 10:27 AM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Most scans come from hosts that have been otherwise compromised, so blocking their IPs won't gain you much, you'll just be getting scanned from a different host in the future.

To be honest, I don't worry about scans at all -- they're just part of the background noise of the internet these days.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OPENNMS -how can i get disk space alert & memory alert BY MAIL saravanakumar Linux - Server 11 05-30-2014 09:45 AM
psad (port scan attack detector) email alert configuration kikilinux Linux - Security 1 09-23-2013 07:22 PM
Detect port scanning without psad - write own IDS wakatana Linux - Networking 1 10-05-2010 09:28 PM
Is there a way to get psad to block the port scanning IP with the APF firewall? abefroman Linux - Security 1 04-15-2008 11:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration