Greetings. First of all, I would like to say I’m not very knowledgeable about anything, and I’m currently learning about Linux, security, networking and even a little programming from creating and managing Droplets. I hope this question doesn’t sound too dumb to the more knowledgeable users. I recently set up a Debian 8.1 Droplet and added an extra layer of security to it with PSAD. Ever since its installation, I have been getting “danger level 3” warnings on the same ports and from the same IP6 address. I do not have any ports open to the world, unless specifically requested by the services I run in a Droplet --and even then, if I can change their default ports, I will assign an (almost) completely random number to them. A log is attached below. Just to make it short, is it safe to whitelist this IP6? PSAD doesn’t seem particularly worried about it (else it would’ve been banned by rules) but it makes me uneasy to have these warnings. Specially because they seem to come from DO (or another Droplet.)
=-=-=-=-=-=-=-=-=-=-=-= Wed Sep 2 13:03:21 2015 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [3] (out of 5) Multi-Protocol
Scanned TCP ports: [11-62078: 193 packets]
TCP flags: [SYN: 193 packets, Nmap: -sT or -sS]
iptables chain: INPUT, 184 packets
iptables chain: INPUT (prefix "[UFW BLOCK]"), 9 packets
Scanned UDP ports: [7-47808: 34 packets, Nmap: -sU]
iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets
iptables chain: INPUT, 33 packets
Source: 2604:a880:0800:0010:0000:0000:0089:c001
DNS: [No reverse dns info available]
Destination: 2604:a880:0400:00d0:0000:0000:000e:d001
DNS: [No reverse dns info available]
Overall scan start: Wed Sep 2 13:03:21 2015 Total email alerts: 1 Complete TCP range: [11-62078] Complete UDP range: [7-47808] Syslog hostname: localhost
Global stats:
chain: interface: protocol: packets:
INPUT eth0 tcp 193
INPUT eth0 udp 34
[+] UDP scan signatures:
“PSAD-CUSTOM Slammer communication attempt” dst port: 1434 (no server bound to local port) psad_id: 100208 chain: INPUT packets: 1 classtype: trojan-activity
“SCAN UPnP communication attempt” dst port: 1900 (no server bound to local port) psad_id: 100074 (derived from: 1917 1384 1388) chain: INPUT packets: 1 classtype: misc-attack
[+] TCP scan signatures:
“MISC VNC communication attempt” dst port: 5900 (no server bound to local port) flags: SYN psad_id: 100202 chain: INPUT packets: 1 classtype: attempted-admin
“MISC Microsoft PPTP communication attempt” dst port: 1723 (no server bound to local port) flags: SYN psad_id: 100082 (derived from: 2126 2044) chain: INPUT packets: 1 classtype: attempted-admin
“BACKDOOR DoomJuice file upload attempt” dst port: 3128 (no server bound to local port) flags: SYN sid: 2375 chain: INPUT packets: 1 classtype: trojan-activity
“MISC MS Terminal Server communication attempt” dst port: 3389 (no server bound to local port) flags: SYN psad_id: 100077 (derived from: 1447 1448 2418) chain: INPUT packets: 1 classtype: misc-activity
“MISC HP Web JetAdmin communication attempt” dst port: 8000 (no server bound to local port) flags: SYN psad_id: 100084 (derived from: 2547 2548 2549 2655) chain: INPUT packets: 1 classtype: web-application-activity
“POLICY HP JetDirect LCD commnication attempt” dst port: 9100 (no server bound to local port) flags: SYN sid: 568 chain: INPUT packets: 1 classtype: misc-activity
“BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt” dst port: 666 (no server bound to local port) flags: SYN psad_id: 100041 (derived from: 118 157 158) chain: INPUT packets: 1 classtype: misc-activity
“BACKDOOR netbus Connection Cttempt” dst port: 12345 (no server bound to local port) flags: SYN psad_id: 100028 (derived from: 109 110) chain: INPUT packets: 1 classtype: misc-activity
“POLICY HP JetDirect LCD communication attempt” dst port: 9002 (no server bound to local port) flags: SYN sid: 510 chain: INPUT packets: 3 classtype: misc-activity
[+] Whois Information (source IP):
ARIN WHOIS data and services are subject to the Terms of Use
available at: https://www.arin.net/whois_tou.html
If you see inaccuracies in the results, please report at
http://www.arin.net/public/whoisinaccuracy/index.xhtml
The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=2604:a880:0800:0010:0000:0000:0089:c001?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
NetRange: 2604:A880:: - 2604:A880:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF CIDR: 2604:A880::/32 NetName: DIGITALOCEAN-V6-1 NetHandle: NET6-2604-A880-1 Parent: NET6-2600 (NET6-2600-1) NetType: Direct Allocation OriginAS: AS14061 Organization: Digital Ocean, Inc. (DO-13) RegDate: 2013-04-11 Updated: 2013-04-11 Ref: http://whois.arin.net/rest/net/NET6-2604-A880-1
OrgName: Digital Ocean, Inc. OrgId: DO-13 Address: 101 Ave of the Americas Address: 10th Floor City: New York StateProv: NY PostalCode: 10013 Country: US RegDate: 2012-05-14 Updated: 2014-10-23 Comment: http://www.digitalocean.com
Comment: Simple Cloud Hosting Ref: http://whois.arin.net/rest/org/DO-13
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
http://www.shodanhq.com/help/faq
There’s no need to concern yourself with port scans. Tools like PSAD aren’t perfect, and they’ll cause more trouble than they are worth for you.