Question

Concerns with port scans from random ips

Posted July 5, 2016 3.3k views
Security Debian Firewall

So I setup my first droplet last night and followed the steps to secure SSH and so forth. I then installed ufw and set up a basic firewall, denying everything incoming while leaving a non-standard port open for ssh, which is working just fine for me. When I checked the logs I was somewhat alarmed to see a large number of port scans from all over the place. Mostly they seemed to be looking for 22 or 23 but others popped up as well. I checked those two ports myself, just to be sure the firewall was doing what it was supposed to be doing and all was good. I guess what surprised me was the number I saw as they were coming in about once or twice a minute.

Since my droplet isn’t doing anything yet, I shut it down overnight and when I started working this morning, I was scanned within 15 seconds of booting up! While I’ve played with servers at home, this is my first experience having something really facing the web. So I’m wondering if this is normal behaviour?

Thanks,

A concerned newbie

Add a comment
lmhopfe
By:
lmhopfe
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

2 answers
jtittle1 July 5, 2016

@lmhopfe

Port Scanning is going to happen when you’re dealing with public facing servers, regardless of their utility (i.e. web server, database server, etc). As long as you’re running a firewall that will block those exceeding a threshold limit, you should be fine.

As for the SSH Port, from a security standpoint, changing the port number is security by obscurity and not a highly regarded practice since it only functions as a very small deterrent. At the same time, even though many people look down upon it, I always change the default SSH port and block all attempts to connect on 22 (TCP & UDP). It’s the default port, it’s well-known, and it’s the first SSH port that will be tried. If you can stop an IP on the first attempt, you won’t need to stop the same IP from trying to connect again.

That said, most attacks aren’t going to be from a single IP, so you’re going to be blocking numerous IP’s that attempt to connect on that port, but that’s simply the nature of running a web server.

Filter out the bad and filter in the good – either way, you filter the traffic. On the backend, a firewall functions as one defense mechanism, as long as your rules are setup correctly. For example, you should have your deny all rule before your allow .... rules. With ufw, that’s as simple as:

ufw disable \
&& ufw default deny \
&& ufw allow 80/tcp \
&& ufw allow 443/tcp \
&& ufw allow 53/tcp \
&& ufw allow 53/udp \
&& ufw allow SSHPORT/tcp

SSHPORT should be replaced with your actual SSH port, of course :-). If you’re not sure if you set your deny rule before the others, you can simply run:

ufw reset

… to reset ufw and then run the multi-command above which will allow traffic on 80 (HTTP), 443 (HTTPS), 53 (DNS) and SSHPORT which is your chosen SSH port.

Once your rules are in place:

ufw enable

And the firewall is active once again.

Reply Report
  • lmhopfe July 10, 2016

    Thanks very much for the explanations and suggestions. I’ve been experimenting with ufw and it seems pretty straight forward. I’ve worked with iptables in the past and this seems a bit easier. I’d read about changing the SSH port in a couple of setup tutorials and thought it might be interesting to try.

    Over the last few days I’ve read more on the scans and what that’s all about. I guess I knew this sort of thing went on it’s just I’d never seen it from this perspective before. I was worried I’d made a mistake which was attracting the scans, but my ufw edits were pretty similar to what you set out. That said, I’ll be mindful of these settings as I move forward.

    In any event, thanks again for the help.

    Reply Report
gparent July 5, 2016

Yes. I would move SSH back to port 22. There’s no real useful reason to change it.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help