Question
Question
Port scans originating from DO?
Greetings. First of all, I would like to say I’m not very knowledgeable about anything, and I’m currently learning about Linux, security, networking and even a little programming from creating and managing Droplets. I hope this question doesn’t sound too dumb to the more knowledgeable users.
I recently set up a Debian 8.1 Droplet and added an extra layer of security to it with PSAD. Ever since its installation, I have been getting “danger level 3” warnings on the same ports and from the same IP6 address. I do not have any ports open to the world, unless specifically requested by the services I run in a Droplet –and even then, if I can change their default ports, I will assign an (almost) completely random number to them. A log is attached below.
Just to make it short, is it safe to whitelist this IP6? PSAD doesn’t seem particularly worried about it (else it would’ve been banned by rules) but it makes me uneasy to have these warnings. Specially because they seem to come from DO (or another Droplet.)
=-=-=-=-=-=-=-=-=-=-=-= Wed Sep 2 13:03:21 2015 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [3] (out of 5) Multi-Protocol
Scanned TCP ports: [11-62078: 193 packets]
TCP flags: [SYN: 193 packets, Nmap: -sT or -sS]
iptables chain: INPUT, 184 packets
iptables chain: INPUT (prefix "[UFW BLOCK]"), 9 packets
Scanned UDP ports: [7-47808: 34 packets, Nmap: -sU]
iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets
iptables chain: INPUT, 33 packets
Source: 2604:a880:0800:0010:0000:0000:0089:c001
DNS: [No reverse dns info available]
Destination: 2604:a880:0400:00d0:0000:0000:000e:d001
DNS: [No reverse dns info available]
Overall scan start: Wed Sep 2 13:03:21 2015
Total email alerts: 1
Complete TCP range: [11-62078]
Complete UDP range: [7-47808]
Syslog hostname: localhost
Global stats:
chain: interface: protocol: packets:
INPUT eth0 tcp 193
INPUT eth0 udp 34
[+] UDP scan signatures:
“PSAD-CUSTOM Slammer communication attempt”
dst port: 1434 (no server bound to local port)
psad_id: 100208
chain: INPUT
packets: 1
classtype: trojan-activity
“SCAN UPnP communication attempt”
dst port: 1900 (no server bound to local port)
psad_id: 100074 (derived from: 1917 1384 1388)
chain: INPUT
packets: 1
classtype: misc-attack
[+] TCP scan signatures:
“MISC VNC communication attempt”
dst port: 5900 (no server bound to local port)
flags: SYN
psad_id: 100202
chain: INPUT
packets: 1
classtype: attempted-admin
“MISC Microsoft PPTP communication attempt”
dst port: 1723 (no server bound to local port)
flags: SYN
psad_id: 100082 (derived from: 2126 2044)
chain: INPUT
packets: 1
classtype: attempted-admin
“BACKDOOR DoomJuice file upload attempt”
dst port: 3128 (no server bound to local port)
flags: SYN
sid: 2375
chain: INPUT
packets: 1
classtype: trojan-activity
“MISC MS Terminal Server communication attempt”
dst port: 3389 (no server bound to local port)
flags: SYN
psad_id: 100077 (derived from: 1447 1448 2418)
chain: INPUT
packets: 1
classtype: misc-activity
“MISC HP Web JetAdmin communication attempt”
dst port: 8000 (no server bound to local port)
flags: SYN
psad_id: 100084 (derived from: 2547 2548 2549 2655)
chain: INPUT
packets: 1
classtype: web-application-activity
“POLICY HP JetDirect LCD commnication attempt”
dst port: 9100 (no server bound to local port)
flags: SYN
sid: 568
chain: INPUT
packets: 1
classtype: misc-activity
“BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt”
dst port: 666 (no server bound to local port)
flags: SYN
psad_id: 100041 (derived from: 118 157 158)
chain: INPUT
packets: 1
classtype: misc-activity
“BACKDOOR netbus Connection Cttempt”
dst port: 12345 (no server bound to local port)
flags: SYN
psad_id: 100028 (derived from: 109 110)
chain: INPUT
packets: 1
classtype: misc-activity
“POLICY HP JetDirect LCD communication attempt”
dst port: 9002 (no server bound to local port)
flags: SYN
sid: 510
chain: INPUT
packets: 3
classtype: misc-activity
[+] Whois Information (source IP):
ARIN WHOIS data and services are subject to the Terms of Use
available at: https://www.arin.net/whois_tou.html
If you see inaccuracies in the results, please report at
http://www.arin.net/public/whoisinaccuracy/index.xhtml
The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=2604:a880:0800:0010:0000:0000:0089:c001?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
NetRange: 2604:A880:: - 2604:A880:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR: 2604:A880::/32
NetName: DIGITALOCEAN-V6-1
NetHandle: NET6-2604-A880-1
Parent: NET6-2600 (NET6-2600-1)
NetType: Direct Allocation
OriginAS: AS14061
Organization: Digital Ocean, Inc. (DO-13)
RegDate: 2013-04-11
Updated: 2013-04-11
Ref: http://whois.arin.net/rest/net/NET6-2604-A880-1
OrgName: Digital Ocean, Inc.
OrgId: DO-13
Address: 101 Ave of the Americas
Address: 10th Floor
City: New York
StateProv: NY
PostalCode: 10013
Country: US
RegDate: 2012-05-14
Updated: 2014-10-23
Comment: http://www.digitalocean.com
Comment: Simple Cloud Hosting
Ref: http://whois.arin.net/rest/org/DO-13
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×