Port scanners? Or something more sinister?

Soldato
Joined
30 Jul 2005
Posts
19,361
Location
Midlands
So iv had a http file server setup for a week running with stunnel for https encryption. Iv noticed in the stunnel logs there been a few ips connecting and disconnect straight away, checking on whois these ips are in usa ur Bangladesh, france etc so very odd. The file server shows no attempts to login or username password guessing going on but still wondering if these are totally random or targeted?
Port 443 is open and now i feel the internet is not a safe place to be lol.
 
Man of Honour
Joined
20 Sep 2006
Posts
33,898
Just random, the internet is not a nice place and is full of bots looking for any exploits. You really should be using a VPN into your home network if you can.
 
Soldato
OP
Joined
30 Jul 2005
Posts
19,361
Location
Midlands
I do have vpn on the server too but vpn ports are blocked by the isp in the country i got mans connecting from so http file server works very well for this situation.
Wondering how they managed to find my ip. I got dynamic ip so rebooted the router and got new ip address and low and behold took about 35-45mins and im being scanned again....
 
Man of Honour
Joined
20 Sep 2006
Posts
33,898
They're bots, scripts, automated etc. They just scan all IP addresses for open ports and then start trying known exploits against the services which run on them.
 
Soldato
Joined
24 Sep 2015
Posts
3,657
Wondering how they managed to find my ip.

It's extremely unlikely that they were looking for your IP address. They were looking for any IP address, not specifically for yours.

There's a lot of background traffic on the internet. I'd be amazed if any public IP didn't get connection attempts and scans on a very regular basis.
 
Soldato
Joined
25 Oct 2010
Posts
5,231
Log into your Windows 10 MS account and check the security - sign in activity section, you'll probably see a number of failed attempts.

It's just how the internet is unfortunately.
 
Soldato
Joined
18 Aug 2007
Posts
9,689
Location
Liverpool
Perfectly normal. The Internet is not 'that big', if you're a bot. The whole, entire public IPv4 Internet is scanned many times over every day. Here's just ten minutes of blocked incoming packets from my home OpenBSD router's pf firewall log:

Code:
Apr 15 01:48:05.369916 rule 7/(match) block in on em1: 81.242.198.139.60159 > 92.232.202.163.50204: udp 106
Apr 15 01:48:06.071883 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:07.054384 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:15.589639 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7168: S 3664143275:3664143275(0) win 1024 [tos 0x20]
Apr 15 01:48:15.654030 rule 7/(match) block in on em1: 171.67.71.100.49187 > 92.232.202.163.6468: S 3457903046:3457903046(0) win 65535
Apr 15 01:48:22.049672 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:24.850155 rule 8/(match) block in on em1: 36.81.12.10.32747 > 92.232.202.163.50204: udp 101 (DF)
Apr 15 01:48:25.609195 rule 7/(match) block in on em1: 89.248.165.100.49809 > 92.232.202.163.52663: S 886587958:886587958(0) win 1024
Apr 15 01:48:29.062892 rule 8/(match) block in on em1: 85.143.217.55.34382 > 92.232.202.163.50204: udp 120 (DF)
Apr 15 01:48:32.743912 rule 7/(match) block in on em1: 162.142.125.93.26304 > 92.232.202.163.12161: S 2960640126:2960640126(0) win 1024 <mss 1460>
Apr 15 01:48:35.527874 rule 7/(match) block in on em1: 185.200.117.138.47462 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:39.131754 rule 7/(match) block in on em1: 35.209.2.217.443 > 92.232.202.163.50083: S 200368865:200368865(0) ack 629024875 win 1024 [tos 0x60]
Apr 15 01:48:44.255724 rule 7/(match) block in on em1: 74.192.77.48.50321 > 92.232.202.163.50204: udp 101
Apr 15 01:48:46.011804 rule 7/(match) block in on em1: 171.67.70.87.48700 > 92.232.202.163.44333: S 175895675:175895675(0) win 65535
Apr 15 01:48:49.659463 rule 7/(match) block in on em1: 51.39.92.57.1030 > 92.232.202.163.50204: udp 104 (DF) [tos 0x38]
Apr 15 01:48:50.394040 rule 8/(match) block in on em1: 212.90.168.229.37769 > 92.232.202.163.50204: udp 117 [tos 0x28]
Apr 15 01:48:52.322003 rule 7/(match) block in on em1: 185.200.117.138.47462 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:54.747496 rule 8/(match) block in on em1: 45.146.165.129.8080 > 92.232.202.163.14206: S 4017968864:4017968864(0) win 1024 [tos 0x20]
Apr 15 01:48:56.807709 rule 7/(match) block in on em1: 196.196.192.12.57228 > 92.232.202.163.50204: udp 106 (DF)
Apr 15 01:49:02.343827 rule 8/(match) block in on em1: 185.137.234.205.48658 > 92.232.202.163.6000: S 1580634278:1580634278(0) win 1024 [tos 0x20]
Apr 15 01:49:06.893973 rule 7/(match) block in on em1: 104.244.210.118.17561 > 92.232.202.163.50204: udp 106 [tos 0x28]
Apr 15 01:49:09.073878 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:11.383855 rule 7/(match) block in on em1: 185.200.117.138.47462 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:17.901343 rule 7/(match) block in on em1: 171.67.71.100.50594 > 92.232.202.163.7137: S 847547728:847547728(0) win 65535
Apr 15 01:49:20.320770 rule 7/(match) block in on em1: 64.52.27.223.51413 > 92.232.202.163.50204: udp 94 (DF)
Apr 15 01:49:24.785344 rule 7/(match) block in on em1: 207.180.210.81.27845 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:25.059145 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:39.768113 rule 7/(match) block in on em1: 173.249.19.73.41138 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:41.472456 rule 7/(match) block in on em1: 92.118.161.53.63432 > 92.232.202.163.2121: S 502328121:502328121(0) win 1024 <mss 1460>
Apr 15 01:49:45.722649 rule 7/(match) block in on em1: 222.108.199.242.40960 > 92.232.202.163.50204: udp 115
Apr 15 01:49:47.995592 rule 7/(match) block in on em1: 104.236.84.193.47670 > 92.232.202.163.30212: S 271118307:271118307(0) win 1024
Apr 15 01:49:48.226682 rule 7/(match) block in on em1: 171.67.70.87.41779 > 92.232.202.163.56836: S 1770509359:1770509359(0) win 65535
Apr 15 01:49:56.722392 rule 7/(match) block in on em1: 89.248.165.100.49809 > 92.232.202.163.23376: S 1843416734:1843416734(0) win 1024
Apr 15 01:50:00.378984 rule 7/(match) block in on em1: 181.29.89.133.53327 > 92.232.202.163.50204: udp 106
Apr 15 01:50:06.467200 rule 7/(match) block in on em1: 103.145.13.243.45153 > 92.232.202.163.5038: S 4190088217:4190088217(0) win 1024 [tos 0x28]
Apr 15 01:50:17.795551 rule 7/(match) block in on em1: 195.230.23.151.54578 > 92.232.202.163.203: S 1561277034:1561277034(0) win 1024 [tos 0x28]
Apr 15 01:50:18.841004 rule 7/(match) block in on em1: 171.67.71.100.41989 > 92.232.202.163.8181: S 75925202:75925202(0) win 65535
Apr 15 01:50:21.418408 rule 7/(match) block in on em1: 89.248.165.97.50003 > 92.232.202.163.9569: S 1753229059:1753229059(0) win 1024
Apr 15 01:50:23.907943 rule 7/(match) block in on em1: 202.8.112.163.60000 > 92.232.202.163.50204: udp 117
Apr 15 01:50:28.283579 rule 7/(match) block in on em1: 185.173.35.33.57306 > 92.232.202.163.3388: S 1992603254:1992603254(0) win 65535 <mss 1460>
Apr 15 01:50:28.291879 rule 7/(match) block in on em1: 46.44.194.254.51540 > 92.232.202.163.50204: udp 101
Apr 15 01:50:31.206608 rule 8/(match) block in on em1: 193.27.229.47.45853 > 92.232.202.163.36383: S 950175790:950175790(0) win 1024
Apr 15 01:50:31.652514 rule 7/(match) block in on em1: 85.145.201.190.33186 > 92.232.202.163.50204: udp 104
Apr 15 01:50:32.365385 rule 8/(match) block in on em1: 180.76.232.66.56359 > 92.232.202.163.12280: S 3477780141:3477780141(0) win 1024 [tos 0x60]
Apr 15 01:50:39.809614 rule 7/(match) block in on em1: 162.142.125.168.29718 > 92.232.202.163.33267: S 2841117061:2841117061(0) win 1024 <mss 1460>
Apr 15 01:50:42.514160 rule 24/(match) pass in on em1: 192.241.206.109.48194 > 92.232.202.163.22: S 2040010608:2040010608(0) win 29200 <mss 1460,sackOK,timestamp 130345325 0,nop,wscale 7> (DF)
Apr 15 01:50:47.347931 rule 7/(match) block in on em1: 162.142.125.87.16808 > 92.232.202.163.9823: S 3518929632:3518929632(0) win 1024 <mss 1460>
Apr 15 01:50:50.754600 rule 7/(match) block in on em1: 171.67.70.87.47568 > 92.232.202.163.53561: S 2950122875:2950122875(0) win 65535
Apr 15 01:50:52.206853 rule 7/(match) block in on em1: 207.180.210.81.12057 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:51:03.023670 rule 7/(match) block in on em1: 209.141.51.242.38458 > 92.232.202.163.5555: S 2245548686:2245548686(0) win 65535
Apr 15 01:51:12.954187 rule 7/(match) block in on em1: 193.46.254.169.53022 > 92.232.202.163.8088: S 3545693776:3545693776(0) win 1024
Apr 15 01:51:20.088622 rule 7/(match) block in on em1: 171.67.71.100.40326 > 92.232.202.163.10382: S 2695674686:2695674686(0) win 65535
Apr 15 01:51:23.172379 rule 8/(match) block in on em1: 194.165.16.39.8080 > 92.232.202.163.7300: S 3042008059:3042008059(0) win 1024
Apr 15 01:51:23.632341 rule 7/(match) block in on em1: 49.228.25.38.2316 > 92.232.202.163.50204: udp 97
Apr 15 01:51:23.939466 rule 7/(match) block in on em1: 175.200.205.136.10054 > 92.232.202.163.50204: udp 115
Apr 15 01:51:24.025396 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7211: S 1444720723:1444720723(0) win 1024 [tos 0x20]
Apr 15 01:51:26.301807 rule 7/(match) block in on em1: 209.126.64.156.47751 > 92.232.202.163.4418: S 3082559446:3082559446(0) win 1024
Apr 15 01:51:30.017173 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7169: S 3173862375:3173862375(0) win 1024 [tos 0x20]
Apr 15 01:51:30.234733 rule 8/(match) block in on em1: 81.163.105.85.13810 > 92.232.202.163.50204: udp 106
Apr 15 01:51:34.507240 rule 7/(match) block in on em1: 201.13.158.184.1024 > 92.232.202.163.50204: udp 115 [tos 0x20]
Apr 15 01:51:36.418543 rule 7/(match) block in on em1: 64.52.27.223.51413 > 92.232.202.163.50204: udp 58 (DF)
Apr 15 01:51:38.583813 rule 8/(match) block in on em1: 185.153.199.131.44846 > 92.232.202.163.3389: S 3413504416:3413504416(0) win 1024 [tos 0x28]
Apr 15 01:51:40.634253 rule 7/(match) block in on em1: 49.228.25.38.2316 > 92.232.202.163.50204: udp 97
Apr 15 01:51:50.670935 rule 7/(match) block in on em1: 171.67.70.87.38264 > 92.232.202.163.48329: S 197752320:197752320(0) win 65535
Apr 15 01:51:56.671931 rule 7/(match) block in on em1: 49.228.25.38.2316 > 92.232.202.163.50204: udp 97
Apr 15 01:52:13.073971 rule 7/(match) block in on em1: 207.180.192.205.33333 > 92.232.202.163.50204: udp 96 (DF)
Apr 15 01:52:13.167508 rule 7/(match) block in on em1: 207.180.192.205.33333 > 92.232.202.163.57370: udp 96 (DF)
Apr 15 01:52:15.727352 rule 7/(match) block in on em1: 104.206.128.34.53989 > 92.232.202.163.389: S 1507273410:1507273410(0) win 1024 <mss 1460>
Apr 15 01:52:16.615508 rule 7/(match) block in on em1: 89.248.165.48.47875 > 92.232.202.163.8443: S 467591717:467591717(0) win 1024
Apr 15 01:52:22.385763 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7063: S 770121064:770121064(0) win 1024 [tos 0x20]
Apr 15 01:52:22.766557 rule 7/(match) block in on em1: 171.67.71.100.58597 > 92.232.202.163.14918: S 3091479952:3091479952(0) win 65535
Apr 15 01:52:22.970615 rule 7/(match) block in on em1: 18.203.224.218.7070 > 92.232.202.163.64728: R 2258543889:2258543889(0) win 0 (DF)
Apr 15 01:52:30.624724 rule 8/(match) block in on em1: 85.174.194.151.16727 > 92.232.202.163.61097: udp 66
Apr 15 01:52:35.918103 rule 7/(match) block in on em1: 101.127.149.95.6881 > 92.232.202.163.50204: udp 115
Apr 15 01:52:38.694316 rule 7/(match) block in on em1: 101.32.190.157.53753 > 92.232.202.163.8888: S 2835836818:2835836818(0) win 43690 (DF) [tos 0x68]
Apr 15 01:52:42.021895 rule 24/(match) pass in on em1: 51.161.10.20.35894 > 92.232.202.163.22: S 3281458065:3281458065(0) win 64240 <mss 1460,sackOK,timestamp 3318980679 0,nop,wscale 7> (DF)
Apr 15 01:52:43.472848 rule 16/(match) block in on em1: 51.161.10.20.35894 > 92.232.202.163.22: . ack 1965333486 win 501 <nop,nop,timestamp 3318982128 1377591707> (DF)
Apr 15 01:52:50.611784 rule 8/(match) block in on em1: 193.27.228.176.47550 > 92.232.202.163.8443: S 1407386945:1407386945(0) win 1024 [tos 0x20]
Apr 15 01:52:50.615578 rule 8/(match) block in on em1: 45.146.165.129.8080 > 92.232.202.163.14154: S 3560265934:3560265934(0) win 1024 [tos 0x20]
Apr 15 01:52:53.073383 rule 7/(match) block in on em1: 171.67.70.87.46179 > 92.232.202.163.59382: S 1945048676:1945048676(0) win 65535
Apr 15 01:52:55.826111 rule 7/(match) block in on em1: 193.107.216.13.5072 > 92.232.202.163.5060: udp 421 (DF) [tos 0x28]
Apr 15 01:52:55.898394 rule 7/(match) block in on em1: 221.139.215.113.41152 > 92.232.202.163.57370: udp 115
Apr 15 01:52:57.229945 rule 8/(match) block in on em1: 95.55.133.55.14872 > 92.232.202.163.50204: udp 117
Apr 15 01:52:58.115230 rule 7/(match) block in on em1: 207.180.192.206.39346 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:52:58.398848 rule 7/(match) block in on em1: 207.180.192.206.39346 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:53:15.177778 rule 8/(match) block in on em1: 101.10.97.27.11001 > 92.232.202.163.50204: udp 115
Apr 15 01:53:17.460557 rule 7/(match) block in on em1: 45.132.225.80.56051 > 92.232.202.163.50204: udp 117 [tos 0x28]
Apr 15 01:53:21.526516 rule 7/(match) block in on em1: 5.189.160.21.42234 > 92.232.202.163.58028: S 2647620820:2647620820(0) win 42340 <mss 1460,sackOK,timestamp 1232087761 0,nop,wscale 14> (DF)
Apr 15 01:53:22.069133 rule 7/(match) block in on em1: 146.88.240.4.54292 > 92.232.202.163.1604: udp 42
Apr 15 01:53:22.527065 rule 7/(match) block in on em1: 5.189.160.21.42234 > 92.232.202.163.58028: S 2647620820:2647620820(0) win 42340 <mss 1460,sackOK,timestamp 1232088011 0,nop,wscale 14> (DF)
Apr 15 01:53:24.530412 rule 7/(match) block in on em1: 5.189.160.21.42234 > 92.232.202.163.58028: S 2647620820:2647620820(0) win 42340 <mss 1460,sackOK,timestamp 1232088512 0,nop,wscale 14> (DF)
Apr 15 01:53:28.608377 rule 7/(match) block in on em1: 171.67.71.100.58261 > 92.232.202.163.178: S 2169806456:2169806456(0) win 65535
Apr 15 01:53:30.150393 rule 7/(match) block in on em1: 175.203.171.64.40727 > 92.232.202.163.57370: udp 115
Apr 15 01:53:30.954718 rule 8/(match) block in on em1: 218.93.208.150.9090 > 92.232.202.163.22: S 30000:30000(0) win 65535
Apr 15 01:53:34.589224 rule 7/(match) block in on em1: 121.145.147.163.64515 > 92.232.202.163.23: S 1558760099:1558760099(0) win 36368 <mss 1460>
Apr 15 01:53:46.135107 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:53:49.608016 rule 7/(match) block in on em1: 45.125.65.74.46100 > 92.232.202.163.23: S 2861604601:2861604601(0) win 1024
Apr 15 01:53:52.901462 rule 7/(match) block in on em1: 186.178.169.11.9054 > 92.232.202.163.50204: udp 101 (DF)
Apr 15 01:53:54.440454 rule 7/(match) block in on em1: 171.67.70.87.36446 > 92.232.202.163.55944: S 64357334:64357334(0) win 65535
Apr 15 01:53:55.993850 rule 7/(match) block in on em1: 162.142.125.162.56160 > 92.232.202.163.45893: S 469534385:469534385(0) win 1024 <mss 1460>
Apr 15 01:53:59.695127 rule 7/(match) block in on em1: 43.242.69.70.56654 > 92.232.202.163.50204: udp 115 [tos 0x28]
Apr 15 01:54:02.096189 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:54:13.453904 rule 7/(match) block in on em1: 192.241.210.137.54215 > 92.232.202.163.8008: S 3100570634:3100570634(0) win 65535
Apr 15 01:54:28.870617 rule 7/(match) block in on em1: 220.117.254.133.40914 > 92.232.202.163.50204: udp 115
Apr 15 01:54:31.067226 rule 7/(match) block in on em1: 171.67.71.100.59507 > 92.232.202.163.7568: S 4044767504:4044767504(0) win 65535
Apr 15 01:54:31.451916 rule 7/(match) block in on em1: 217.64.148.116.56321 > 92.232.202.163.50204: udp 115
Apr 15 01:54:33.299233 rule 7/(match) block in on em1: 5.253.84.226.39922 > 92.232.202.163.5905: S 4118761288:4118761288(0) win 65535
Apr 15 01:54:36.819974 rule 8/(match) block in on em1: 45.155.205.212.47891 > 92.232.202.163.1234: S 1623288772:1623288772(0) win 1024
Apr 15 01:54:40.060645 rule 7/(match) block in on em1: 142.126.140.116.22214 > 92.232.202.163.50204: udp 103
Apr 15 01:54:47.074042 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:54:47.230818 rule 7/(match) block in on em1: 173.249.19.73.23006 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:54:47.314830 rule 7/(match) block in on em1: 173.249.19.73.23006 > 92.232.202.163.57479: udp 97 (DF)
Apr 15 01:54:55.348787 rule 7/(match) block in on em1: 154.5.82.209.1217 > 92.232.202.163.50204: udp 106
Apr 15 01:54:56.644963 rule 7/(match) block in on em1: 171.67.70.87.43172 > 92.232.202.163.62873: S 2372326933:2372326933(0) win 65535
Apr 15 01:55:03.049136 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:55:03.325076 rule 8/(match) block in on em1: 194.190.92.130.35973 > 92.232.202.163.57370: udp 106
Apr 15 01:55:05.609126 rule 8/(match) block in on em1: 37.204.84.153.57559 > 92.232.202.163.50204: udp 103
Apr 15 01:55:09.840868 rule 7/(match) block in on em1: 173.249.33.72.12040 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:55:13.551893 rule 7/(match) block in on em1: 89.248.165.97.50003 > 92.232.202.163.9942: S 4143123884:4143123884(0) win 1024
Apr 15 01:55:20.156618 rule 7/(match) block in on em1: 68.37.41.208.17173 > 92.232.202.163.50204: udp 104
Apr 15 01:55:20.279338 rule 7/(match) block in on em1: 67.215.236.26.17558 > 92.232.202.163.57479: udp 104
Apr 15 01:55:21.975730 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7141: S 3745596102:3745596102(0) win 1024 [tos 0x20]
Apr 15 01:55:23.403552 rule 8/(match) block in on em1: 45.146.165.129.8080 > 92.232.202.163.15825: S 1374653538:1374653538(0) win 1024 [tos 0x20]
Apr 15 01:55:33.430236 rule 24/(match) pass in on em1: 162.142.125.64.9602 > 92.232.202.163.22: S 407183881:407183881(0) win 1024 <mss 1460>
Apr 15 01:55:34.339219 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:55:36.149409 rule 7/(match) block in on em1: 101.117.4.242.23193 > 92.232.202.163.50204: udp 106
Apr 15 01:55:47.993456 rule 7/(match) block in on em1: 171.67.71.100.40541 > 92.232.202.163.5918: S 277040846:277040846(0) win 65535
Apr 15 01:55:48.496589 rule 7/(match) block in on em1: 179.225.192.91.6881 > 92.232.202.163.50204: udp 104 [tos 0x20]
Apr 15 01:55:50.081069 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:55:50.890180 rule 7/(match) block in on em1: 179.54.185.82.58669 > 92.232.202.163.50204: udp 106
Apr 15 01:55:59.091690 rule 7/(match) block in on em1: 171.67.70.87.35549 > 92.232.202.163.60892: S 2581642130:2581642130(0) win 65535
Apr 15 01:56:02.616084 rule 7/(match) block in on em1: 68.49.29.6.6889 > 92.232.202.163.57370: udp 101 (DF)
Apr 15 01:56:06.067458 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:56:13.184853 rule 7/(match) block in on em1: 135.19.171.123.36559 > 92.232.202.163.50204: udp 106 [tos 0x28]
Apr 15 01:56:28.631774 rule 7/(match) block in on em1: 212.37.80.23.61040 > 92.232.202.163.50204: udp 106
Apr 15 01:56:31.523224 rule 24/(match) pass in on em1: 162.142.125.54.43918 > 92.232.202.163.22: S 235342525:235342525(0) win 64240 <mss 1460,sackOK,timestamp 1080307231 0,nop,wscale 10> (DF)
Apr 15 01:56:32.838362 rule 24/(match) pass in on em1: 162.142.125.176.5189 > 92.232.202.163.22: S 0:0(0) win 29200 <mss 1460,sackOK,timestamp 1618448192 0,nop,wscale 6>
Apr 15 01:56:38.621741 rule 7/(match) block in on em1: 193.107.216.121.5152 > 92.232.202.163.5060: udp 414 (DF) [tos 0x28]
Apr 15 01:56:48.547325 rule 7/(match) block in on em1: 89.248.165.100.49809 > 92.232.202.163.50568: S 72676171:72676171(0) win 1024
Apr 15 01:56:53.022028 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:56:54.498032 rule 7/(match) block in on em1: 171.67.71.100.34629 > 92.232.202.163.18050: S 1515670011:1515670011(0) win 65535
Apr 15 01:56:59.177250 rule 7/(match) block in on em1: 107.11.78.0.52383 > 92.232.202.163.50204: udp 115
Apr 15 01:57:01.239206 rule 7/(match) block in on em1: 171.67.70.87.51557 > 92.232.202.163.60418: S 2264029008:2264029008(0) win 65535
Apr 15 01:57:04.137718 rule 7/(match) block in on em1: 60.54.75.101.52604 > 92.232.202.163.50204: udp 117
Apr 15 01:57:07.864318 rule 7/(match) block in on em1: 209.126.64.156.48185 > 92.232.202.163.4085: S 1062936702:1062936702(0) win 1024
Apr 15 01:57:09.051573 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:57:19.428080 rule 8/(match) block in on em1: 178.66.159.9.6144 > 92.232.202.163.50204: udp 106
Apr 15 01:57:19.681076 rule 7/(match) block in on em1: 207.180.192.205.33333 > 92.232.202.163.57479: udp 96 (DF)
Apr 15 01:57:20.703506 rule 7/(match) block in on em1: 185.173.35.21.61050 > 92.232.202.163.808: S 1581674811:1581674811(0) win 65535 <mss 1460>
Apr 15 01:57:28.933117 rule 7/(match) block in on em1: 173.249.33.72.7290 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:57:52.859145 rule 7/(match) block in on em1: 171.67.71.100.58462 > 92.232.202.163.4245: S 2071351539:2071351539(0) win 65535
Apr 15 01:58:04.453447 rule 7/(match) block in on em1: 171.67.70.87.49286 > 92.232.202.163.57922: S 1801689974:1801689974(0) win 65535
Apr 15 01:58:06.035645 rule 7/(match) block in on em1: 185.169.233.31.21491 > 92.232.202.163.50204: udp 117

That's around 150 blocks in 10 mins... or 21,600 per day if you average it out. In actual fact, this is a 'quiet' time atm so it's usually worse. I have a list of ports open (DNAT) including 22, 80, 443, 444, 784, 853, 8080, 51820, and a ton of higher up ones for random services.

If you actually glanced through the list, you probably noticed a few 'pass' logs thrown in. If you look again, they're hitting port 22 (SSH), which is open on my router, but only accessible for a non-standard username (i.e. it's not admin/root/whatever) and with an SSH key only. No passwords. So the bots are allowed to pass through the router's firewall to the SSH server, but they're just hitting a brick wall. It's still just bot activity, so I left those ones in the list for you.

Do you have the server behind a firewall, or at least fail2ban or something? What's the host OS and what file serving software are you running? Honestly if it has to be over http, I'd strongly recommend you beef up your security. You could spin up an OpenBSD virtual machine in a few minutes flat, and give it bridged access to the host network card (i.e. it gets its own local IP address from your router as if it was a real physical separate machine). You can then forward the appropriate port to the VM using your router, and the guest OS would handle the security - and any breach. More isolated that way.

With OpenBSD, the httpd server is built right in and it's an absolute breeze to configure and use, even to add SSL to. OpenBSD is so secure, when people see machines running it at DEFCON they just tut and look for something else to hack. True story. :p

If it doesn't have to be over http, there are more secure and easier ways. What about vsftpd (very secure ftp daemon)? Or better yet, set up a directory for shares, set up an SSH server with a remote user allowed access to only that folder and with authentication by key only (ed25519), and then have them sftp or scp the files over. It's even possible to do it all through a nice GUI - see Cyberduck et al. There's also stuff like Bittorrent Sync. Or spin up something in Docker and have the data files chrooted to a directory mounted in the container, with the ports passed through so the remote person can log in and grab them, but the OS is actually just basically empty with only that one directly available. There's loads of options with layers of security to choose from, rather than dumping everything over plain HTTP and opening your (Windows?) machine directly to the Internet...
 
Man of Honour
Joined
13 Oct 2006
Posts
90,824
Even 10-15+ years ago you couldn't connect a device directly to the internet without it being connected to within about 5 minutes by all the bots, etc. out there just randomly scanning. I used to run various servers like IRCds, game servers, etc. back in the day and it wasn't pretty.
 
Soldato
Joined
18 Aug 2007
Posts
9,689
Location
Liverpool
Even 10-15+ years ago you couldn't connect a device directly to the internet without it being connected to within about 5 minutes by all the bots, etc. out there just randomly scanning. I used to run various servers like IRCds, game servers, etc. back in the day and it wasn't pretty.

It was, in many ways, much worse back then. Most homes had a single, (at the time) very expensive PC, connected directly to the home's cable modem or whatever... Public IP, and for early XP or earlier? Well, "What's a firewall?!". You'd have a worm/trojan/virus or a mixture of all three within half an hour, guaranteed. At least now we have NAT, and practically every home has a router/firewall and every OS has a software firewall too.
 
Soldato
OP
Joined
30 Jul 2005
Posts
19,361
Location
Midlands
Perfectly normal. The Internet is not 'that big', if you're a bot. The whole, entire public IPv4 Internet is scanned many times over every day. Here's just ten minutes of blocked incoming packets from my home OpenBSD router's pf firewall log:

Code:
Apr 15 01:48:05.369916 rule 7/(match) block in on em1: 81.242.198.139.60159 > 92.232.202.163.50204: udp 106
Apr 15 01:48:06.071883 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:07.054384 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:15.589639 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7168: S 3664143275:3664143275(0) win 1024 [tos 0x20]
Apr 15 01:48:15.654030 rule 7/(match) block in on em1: 171.67.71.100.49187 > 92.232.202.163.6468: S 3457903046:3457903046(0) win 65535
Apr 15 01:48:22.049672 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:24.850155 rule 8/(match) block in on em1: 36.81.12.10.32747 > 92.232.202.163.50204: udp 101 (DF)
Apr 15 01:48:25.609195 rule 7/(match) block in on em1: 89.248.165.100.49809 > 92.232.202.163.52663: S 886587958:886587958(0) win 1024
Apr 15 01:48:29.062892 rule 8/(match) block in on em1: 85.143.217.55.34382 > 92.232.202.163.50204: udp 120 (DF)
Apr 15 01:48:32.743912 rule 7/(match) block in on em1: 162.142.125.93.26304 > 92.232.202.163.12161: S 2960640126:2960640126(0) win 1024 <mss 1460>
Apr 15 01:48:35.527874 rule 7/(match) block in on em1: 185.200.117.138.47462 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:39.131754 rule 7/(match) block in on em1: 35.209.2.217.443 > 92.232.202.163.50083: S 200368865:200368865(0) ack 629024875 win 1024 [tos 0x60]
Apr 15 01:48:44.255724 rule 7/(match) block in on em1: 74.192.77.48.50321 > 92.232.202.163.50204: udp 101
Apr 15 01:48:46.011804 rule 7/(match) block in on em1: 171.67.70.87.48700 > 92.232.202.163.44333: S 175895675:175895675(0) win 65535
Apr 15 01:48:49.659463 rule 7/(match) block in on em1: 51.39.92.57.1030 > 92.232.202.163.50204: udp 104 (DF) [tos 0x38]
Apr 15 01:48:50.394040 rule 8/(match) block in on em1: 212.90.168.229.37769 > 92.232.202.163.50204: udp 117 [tos 0x28]
Apr 15 01:48:52.322003 rule 7/(match) block in on em1: 185.200.117.138.47462 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:48:54.747496 rule 8/(match) block in on em1: 45.146.165.129.8080 > 92.232.202.163.14206: S 4017968864:4017968864(0) win 1024 [tos 0x20]
Apr 15 01:48:56.807709 rule 7/(match) block in on em1: 196.196.192.12.57228 > 92.232.202.163.50204: udp 106 (DF)
Apr 15 01:49:02.343827 rule 8/(match) block in on em1: 185.137.234.205.48658 > 92.232.202.163.6000: S 1580634278:1580634278(0) win 1024 [tos 0x20]
Apr 15 01:49:06.893973 rule 7/(match) block in on em1: 104.244.210.118.17561 > 92.232.202.163.50204: udp 106 [tos 0x28]
Apr 15 01:49:09.073878 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:11.383855 rule 7/(match) block in on em1: 185.200.117.138.47462 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:17.901343 rule 7/(match) block in on em1: 171.67.71.100.50594 > 92.232.202.163.7137: S 847547728:847547728(0) win 65535
Apr 15 01:49:20.320770 rule 7/(match) block in on em1: 64.52.27.223.51413 > 92.232.202.163.50204: udp 94 (DF)
Apr 15 01:49:24.785344 rule 7/(match) block in on em1: 207.180.210.81.27845 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:25.059145 rule 7/(match) block in on em1: 5.189.188.23.46931 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:39.768113 rule 7/(match) block in on em1: 173.249.19.73.41138 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:49:41.472456 rule 7/(match) block in on em1: 92.118.161.53.63432 > 92.232.202.163.2121: S 502328121:502328121(0) win 1024 <mss 1460>
Apr 15 01:49:45.722649 rule 7/(match) block in on em1: 222.108.199.242.40960 > 92.232.202.163.50204: udp 115
Apr 15 01:49:47.995592 rule 7/(match) block in on em1: 104.236.84.193.47670 > 92.232.202.163.30212: S 271118307:271118307(0) win 1024
Apr 15 01:49:48.226682 rule 7/(match) block in on em1: 171.67.70.87.41779 > 92.232.202.163.56836: S 1770509359:1770509359(0) win 65535
Apr 15 01:49:56.722392 rule 7/(match) block in on em1: 89.248.165.100.49809 > 92.232.202.163.23376: S 1843416734:1843416734(0) win 1024
Apr 15 01:50:00.378984 rule 7/(match) block in on em1: 181.29.89.133.53327 > 92.232.202.163.50204: udp 106
Apr 15 01:50:06.467200 rule 7/(match) block in on em1: 103.145.13.243.45153 > 92.232.202.163.5038: S 4190088217:4190088217(0) win 1024 [tos 0x28]
Apr 15 01:50:17.795551 rule 7/(match) block in on em1: 195.230.23.151.54578 > 92.232.202.163.203: S 1561277034:1561277034(0) win 1024 [tos 0x28]
Apr 15 01:50:18.841004 rule 7/(match) block in on em1: 171.67.71.100.41989 > 92.232.202.163.8181: S 75925202:75925202(0) win 65535
Apr 15 01:50:21.418408 rule 7/(match) block in on em1: 89.248.165.97.50003 > 92.232.202.163.9569: S 1753229059:1753229059(0) win 1024
Apr 15 01:50:23.907943 rule 7/(match) block in on em1: 202.8.112.163.60000 > 92.232.202.163.50204: udp 117
Apr 15 01:50:28.283579 rule 7/(match) block in on em1: 185.173.35.33.57306 > 92.232.202.163.3388: S 1992603254:1992603254(0) win 65535 <mss 1460>
Apr 15 01:50:28.291879 rule 7/(match) block in on em1: 46.44.194.254.51540 > 92.232.202.163.50204: udp 101
Apr 15 01:50:31.206608 rule 8/(match) block in on em1: 193.27.229.47.45853 > 92.232.202.163.36383: S 950175790:950175790(0) win 1024
Apr 15 01:50:31.652514 rule 7/(match) block in on em1: 85.145.201.190.33186 > 92.232.202.163.50204: udp 104
Apr 15 01:50:32.365385 rule 8/(match) block in on em1: 180.76.232.66.56359 > 92.232.202.163.12280: S 3477780141:3477780141(0) win 1024 [tos 0x60]
Apr 15 01:50:39.809614 rule 7/(match) block in on em1: 162.142.125.168.29718 > 92.232.202.163.33267: S 2841117061:2841117061(0) win 1024 <mss 1460>
Apr 15 01:50:42.514160 rule 24/(match) pass in on em1: 192.241.206.109.48194 > 92.232.202.163.22: S 2040010608:2040010608(0) win 29200 <mss 1460,sackOK,timestamp 130345325 0,nop,wscale 7> (DF)
Apr 15 01:50:47.347931 rule 7/(match) block in on em1: 162.142.125.87.16808 > 92.232.202.163.9823: S 3518929632:3518929632(0) win 1024 <mss 1460>
Apr 15 01:50:50.754600 rule 7/(match) block in on em1: 171.67.70.87.47568 > 92.232.202.163.53561: S 2950122875:2950122875(0) win 65535
Apr 15 01:50:52.206853 rule 7/(match) block in on em1: 207.180.210.81.12057 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:51:03.023670 rule 7/(match) block in on em1: 209.141.51.242.38458 > 92.232.202.163.5555: S 2245548686:2245548686(0) win 65535
Apr 15 01:51:12.954187 rule 7/(match) block in on em1: 193.46.254.169.53022 > 92.232.202.163.8088: S 3545693776:3545693776(0) win 1024
Apr 15 01:51:20.088622 rule 7/(match) block in on em1: 171.67.71.100.40326 > 92.232.202.163.10382: S 2695674686:2695674686(0) win 65535
Apr 15 01:51:23.172379 rule 8/(match) block in on em1: 194.165.16.39.8080 > 92.232.202.163.7300: S 3042008059:3042008059(0) win 1024
Apr 15 01:51:23.632341 rule 7/(match) block in on em1: 49.228.25.38.2316 > 92.232.202.163.50204: udp 97
Apr 15 01:51:23.939466 rule 7/(match) block in on em1: 175.200.205.136.10054 > 92.232.202.163.50204: udp 115
Apr 15 01:51:24.025396 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7211: S 1444720723:1444720723(0) win 1024 [tos 0x20]
Apr 15 01:51:26.301807 rule 7/(match) block in on em1: 209.126.64.156.47751 > 92.232.202.163.4418: S 3082559446:3082559446(0) win 1024
Apr 15 01:51:30.017173 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7169: S 3173862375:3173862375(0) win 1024 [tos 0x20]
Apr 15 01:51:30.234733 rule 8/(match) block in on em1: 81.163.105.85.13810 > 92.232.202.163.50204: udp 106
Apr 15 01:51:34.507240 rule 7/(match) block in on em1: 201.13.158.184.1024 > 92.232.202.163.50204: udp 115 [tos 0x20]
Apr 15 01:51:36.418543 rule 7/(match) block in on em1: 64.52.27.223.51413 > 92.232.202.163.50204: udp 58 (DF)
Apr 15 01:51:38.583813 rule 8/(match) block in on em1: 185.153.199.131.44846 > 92.232.202.163.3389: S 3413504416:3413504416(0) win 1024 [tos 0x28]
Apr 15 01:51:40.634253 rule 7/(match) block in on em1: 49.228.25.38.2316 > 92.232.202.163.50204: udp 97
Apr 15 01:51:50.670935 rule 7/(match) block in on em1: 171.67.70.87.38264 > 92.232.202.163.48329: S 197752320:197752320(0) win 65535
Apr 15 01:51:56.671931 rule 7/(match) block in on em1: 49.228.25.38.2316 > 92.232.202.163.50204: udp 97
Apr 15 01:52:13.073971 rule 7/(match) block in on em1: 207.180.192.205.33333 > 92.232.202.163.50204: udp 96 (DF)
Apr 15 01:52:13.167508 rule 7/(match) block in on em1: 207.180.192.205.33333 > 92.232.202.163.57370: udp 96 (DF)
Apr 15 01:52:15.727352 rule 7/(match) block in on em1: 104.206.128.34.53989 > 92.232.202.163.389: S 1507273410:1507273410(0) win 1024 <mss 1460>
Apr 15 01:52:16.615508 rule 7/(match) block in on em1: 89.248.165.48.47875 > 92.232.202.163.8443: S 467591717:467591717(0) win 1024
Apr 15 01:52:22.385763 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7063: S 770121064:770121064(0) win 1024 [tos 0x20]
Apr 15 01:52:22.766557 rule 7/(match) block in on em1: 171.67.71.100.58597 > 92.232.202.163.14918: S 3091479952:3091479952(0) win 65535
Apr 15 01:52:22.970615 rule 7/(match) block in on em1: 18.203.224.218.7070 > 92.232.202.163.64728: R 2258543889:2258543889(0) win 0 (DF)
Apr 15 01:52:30.624724 rule 8/(match) block in on em1: 85.174.194.151.16727 > 92.232.202.163.61097: udp 66
Apr 15 01:52:35.918103 rule 7/(match) block in on em1: 101.127.149.95.6881 > 92.232.202.163.50204: udp 115
Apr 15 01:52:38.694316 rule 7/(match) block in on em1: 101.32.190.157.53753 > 92.232.202.163.8888: S 2835836818:2835836818(0) win 43690 (DF) [tos 0x68]
Apr 15 01:52:42.021895 rule 24/(match) pass in on em1: 51.161.10.20.35894 > 92.232.202.163.22: S 3281458065:3281458065(0) win 64240 <mss 1460,sackOK,timestamp 3318980679 0,nop,wscale 7> (DF)
Apr 15 01:52:43.472848 rule 16/(match) block in on em1: 51.161.10.20.35894 > 92.232.202.163.22: . ack 1965333486 win 501 <nop,nop,timestamp 3318982128 1377591707> (DF)
Apr 15 01:52:50.611784 rule 8/(match) block in on em1: 193.27.228.176.47550 > 92.232.202.163.8443: S 1407386945:1407386945(0) win 1024 [tos 0x20]
Apr 15 01:52:50.615578 rule 8/(match) block in on em1: 45.146.165.129.8080 > 92.232.202.163.14154: S 3560265934:3560265934(0) win 1024 [tos 0x20]
Apr 15 01:52:53.073383 rule 7/(match) block in on em1: 171.67.70.87.46179 > 92.232.202.163.59382: S 1945048676:1945048676(0) win 65535
Apr 15 01:52:55.826111 rule 7/(match) block in on em1: 193.107.216.13.5072 > 92.232.202.163.5060: udp 421 (DF) [tos 0x28]
Apr 15 01:52:55.898394 rule 7/(match) block in on em1: 221.139.215.113.41152 > 92.232.202.163.57370: udp 115
Apr 15 01:52:57.229945 rule 8/(match) block in on em1: 95.55.133.55.14872 > 92.232.202.163.50204: udp 117
Apr 15 01:52:58.115230 rule 7/(match) block in on em1: 207.180.192.206.39346 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:52:58.398848 rule 7/(match) block in on em1: 207.180.192.206.39346 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:53:15.177778 rule 8/(match) block in on em1: 101.10.97.27.11001 > 92.232.202.163.50204: udp 115
Apr 15 01:53:17.460557 rule 7/(match) block in on em1: 45.132.225.80.56051 > 92.232.202.163.50204: udp 117 [tos 0x28]
Apr 15 01:53:21.526516 rule 7/(match) block in on em1: 5.189.160.21.42234 > 92.232.202.163.58028: S 2647620820:2647620820(0) win 42340 <mss 1460,sackOK,timestamp 1232087761 0,nop,wscale 14> (DF)
Apr 15 01:53:22.069133 rule 7/(match) block in on em1: 146.88.240.4.54292 > 92.232.202.163.1604: udp 42
Apr 15 01:53:22.527065 rule 7/(match) block in on em1: 5.189.160.21.42234 > 92.232.202.163.58028: S 2647620820:2647620820(0) win 42340 <mss 1460,sackOK,timestamp 1232088011 0,nop,wscale 14> (DF)
Apr 15 01:53:24.530412 rule 7/(match) block in on em1: 5.189.160.21.42234 > 92.232.202.163.58028: S 2647620820:2647620820(0) win 42340 <mss 1460,sackOK,timestamp 1232088512 0,nop,wscale 14> (DF)
Apr 15 01:53:28.608377 rule 7/(match) block in on em1: 171.67.71.100.58261 > 92.232.202.163.178: S 2169806456:2169806456(0) win 65535
Apr 15 01:53:30.150393 rule 7/(match) block in on em1: 175.203.171.64.40727 > 92.232.202.163.57370: udp 115
Apr 15 01:53:30.954718 rule 8/(match) block in on em1: 218.93.208.150.9090 > 92.232.202.163.22: S 30000:30000(0) win 65535
Apr 15 01:53:34.589224 rule 7/(match) block in on em1: 121.145.147.163.64515 > 92.232.202.163.23: S 1558760099:1558760099(0) win 36368 <mss 1460>
Apr 15 01:53:46.135107 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:53:49.608016 rule 7/(match) block in on em1: 45.125.65.74.46100 > 92.232.202.163.23: S 2861604601:2861604601(0) win 1024
Apr 15 01:53:52.901462 rule 7/(match) block in on em1: 186.178.169.11.9054 > 92.232.202.163.50204: udp 101 (DF)
Apr 15 01:53:54.440454 rule 7/(match) block in on em1: 171.67.70.87.36446 > 92.232.202.163.55944: S 64357334:64357334(0) win 65535
Apr 15 01:53:55.993850 rule 7/(match) block in on em1: 162.142.125.162.56160 > 92.232.202.163.45893: S 469534385:469534385(0) win 1024 <mss 1460>
Apr 15 01:53:59.695127 rule 7/(match) block in on em1: 43.242.69.70.56654 > 92.232.202.163.50204: udp 115 [tos 0x28]
Apr 15 01:54:02.096189 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:54:13.453904 rule 7/(match) block in on em1: 192.241.210.137.54215 > 92.232.202.163.8008: S 3100570634:3100570634(0) win 65535
Apr 15 01:54:28.870617 rule 7/(match) block in on em1: 220.117.254.133.40914 > 92.232.202.163.50204: udp 115
Apr 15 01:54:31.067226 rule 7/(match) block in on em1: 171.67.71.100.59507 > 92.232.202.163.7568: S 4044767504:4044767504(0) win 65535
Apr 15 01:54:31.451916 rule 7/(match) block in on em1: 217.64.148.116.56321 > 92.232.202.163.50204: udp 115
Apr 15 01:54:33.299233 rule 7/(match) block in on em1: 5.253.84.226.39922 > 92.232.202.163.5905: S 4118761288:4118761288(0) win 65535
Apr 15 01:54:36.819974 rule 8/(match) block in on em1: 45.155.205.212.47891 > 92.232.202.163.1234: S 1623288772:1623288772(0) win 1024
Apr 15 01:54:40.060645 rule 7/(match) block in on em1: 142.126.140.116.22214 > 92.232.202.163.50204: udp 103
Apr 15 01:54:47.074042 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:54:47.230818 rule 7/(match) block in on em1: 173.249.19.73.23006 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:54:47.314830 rule 7/(match) block in on em1: 173.249.19.73.23006 > 92.232.202.163.57479: udp 97 (DF)
Apr 15 01:54:55.348787 rule 7/(match) block in on em1: 154.5.82.209.1217 > 92.232.202.163.50204: udp 106
Apr 15 01:54:56.644963 rule 7/(match) block in on em1: 171.67.70.87.43172 > 92.232.202.163.62873: S 2372326933:2372326933(0) win 65535
Apr 15 01:55:03.049136 rule 7/(match) block in on em1: 173.212.202.22.6884 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:55:03.325076 rule 8/(match) block in on em1: 194.190.92.130.35973 > 92.232.202.163.57370: udp 106
Apr 15 01:55:05.609126 rule 8/(match) block in on em1: 37.204.84.153.57559 > 92.232.202.163.50204: udp 103
Apr 15 01:55:09.840868 rule 7/(match) block in on em1: 173.249.33.72.12040 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:55:13.551893 rule 7/(match) block in on em1: 89.248.165.97.50003 > 92.232.202.163.9942: S 4143123884:4143123884(0) win 1024
Apr 15 01:55:20.156618 rule 7/(match) block in on em1: 68.37.41.208.17173 > 92.232.202.163.50204: udp 104
Apr 15 01:55:20.279338 rule 7/(match) block in on em1: 67.215.236.26.17558 > 92.232.202.163.57479: udp 104
Apr 15 01:55:21.975730 rule 8/(match) block in on em1: 45.146.165.25.52563 > 92.232.202.163.7141: S 3745596102:3745596102(0) win 1024 [tos 0x20]
Apr 15 01:55:23.403552 rule 8/(match) block in on em1: 45.146.165.129.8080 > 92.232.202.163.15825: S 1374653538:1374653538(0) win 1024 [tos 0x20]
Apr 15 01:55:33.430236 rule 24/(match) pass in on em1: 162.142.125.64.9602 > 92.232.202.163.22: S 407183881:407183881(0) win 1024 <mss 1460>
Apr 15 01:55:34.339219 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:55:36.149409 rule 7/(match) block in on em1: 101.117.4.242.23193 > 92.232.202.163.50204: udp 106
Apr 15 01:55:47.993456 rule 7/(match) block in on em1: 171.67.71.100.40541 > 92.232.202.163.5918: S 277040846:277040846(0) win 65535
Apr 15 01:55:48.496589 rule 7/(match) block in on em1: 179.225.192.91.6881 > 92.232.202.163.50204: udp 104 [tos 0x20]
Apr 15 01:55:50.081069 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:55:50.890180 rule 7/(match) block in on em1: 179.54.185.82.58669 > 92.232.202.163.50204: udp 106
Apr 15 01:55:59.091690 rule 7/(match) block in on em1: 171.67.70.87.35549 > 92.232.202.163.60892: S 2581642130:2581642130(0) win 65535
Apr 15 01:56:02.616084 rule 7/(match) block in on em1: 68.49.29.6.6889 > 92.232.202.163.57370: udp 101 (DF)
Apr 15 01:56:06.067458 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:56:13.184853 rule 7/(match) block in on em1: 135.19.171.123.36559 > 92.232.202.163.50204: udp 106 [tos 0x28]
Apr 15 01:56:28.631774 rule 7/(match) block in on em1: 212.37.80.23.61040 > 92.232.202.163.50204: udp 106
Apr 15 01:56:31.523224 rule 24/(match) pass in on em1: 162.142.125.54.43918 > 92.232.202.163.22: S 235342525:235342525(0) win 64240 <mss 1460,sackOK,timestamp 1080307231 0,nop,wscale 10> (DF)
Apr 15 01:56:32.838362 rule 24/(match) pass in on em1: 162.142.125.176.5189 > 92.232.202.163.22: S 0:0(0) win 29200 <mss 1460,sackOK,timestamp 1618448192 0,nop,wscale 6>
Apr 15 01:56:38.621741 rule 7/(match) block in on em1: 193.107.216.121.5152 > 92.232.202.163.5060: udp 414 (DF) [tos 0x28]
Apr 15 01:56:48.547325 rule 7/(match) block in on em1: 89.248.165.100.49809 > 92.232.202.163.50568: S 72676171:72676171(0) win 1024
Apr 15 01:56:53.022028 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:56:54.498032 rule 7/(match) block in on em1: 171.67.71.100.34629 > 92.232.202.163.18050: S 1515670011:1515670011(0) win 65535
Apr 15 01:56:59.177250 rule 7/(match) block in on em1: 107.11.78.0.52383 > 92.232.202.163.50204: udp 115
Apr 15 01:57:01.239206 rule 7/(match) block in on em1: 171.67.70.87.51557 > 92.232.202.163.60418: S 2264029008:2264029008(0) win 65535
Apr 15 01:57:04.137718 rule 7/(match) block in on em1: 60.54.75.101.52604 > 92.232.202.163.50204: udp 117
Apr 15 01:57:07.864318 rule 7/(match) block in on em1: 209.126.64.156.48185 > 92.232.202.163.4085: S 1062936702:1062936702(0) win 1024
Apr 15 01:57:09.051573 rule 7/(match) block in on em1: 213.136.79.205.49821 > 92.232.202.163.57370: udp 97 (DF)
Apr 15 01:57:19.428080 rule 8/(match) block in on em1: 178.66.159.9.6144 > 92.232.202.163.50204: udp 106
Apr 15 01:57:19.681076 rule 7/(match) block in on em1: 207.180.192.205.33333 > 92.232.202.163.57479: udp 96 (DF)
Apr 15 01:57:20.703506 rule 7/(match) block in on em1: 185.173.35.21.61050 > 92.232.202.163.808: S 1581674811:1581674811(0) win 65535 <mss 1460>
Apr 15 01:57:28.933117 rule 7/(match) block in on em1: 173.249.33.72.7290 > 92.232.202.163.50204: udp 97 (DF)
Apr 15 01:57:52.859145 rule 7/(match) block in on em1: 171.67.71.100.58462 > 92.232.202.163.4245: S 2071351539:2071351539(0) win 65535
Apr 15 01:58:04.453447 rule 7/(match) block in on em1: 171.67.70.87.49286 > 92.232.202.163.57922: S 1801689974:1801689974(0) win 65535
Apr 15 01:58:06.035645 rule 7/(match) block in on em1: 185.169.233.31.21491 > 92.232.202.163.50204: udp 117

That's around 150 blocks in 10 mins... or 21,600 per day if you average it out. In actual fact, this is a 'quiet' time atm so it's usually worse. I have a list of ports open (DNAT) including 22, 80, 443, 444, 784, 853, 8080, 51820, and a ton of higher up ones for random services.

If you actually glanced through the list, you probably noticed a few 'pass' logs thrown in. If you look again, they're hitting port 22 (SSH), which is open on my router, but only accessible for a non-standard username (i.e. it's not admin/root/whatever) and with an SSH key only. No passwords. So the bots are allowed to pass through the router's firewall to the SSH server, but they're just hitting a brick wall. It's still just bot activity, so I left those ones in the list for you.

Do you have the server behind a firewall, or at least fail2ban or something? What's the host OS and what file serving software are you running? Honestly if it has to be over http, I'd strongly recommend you beef up your security. You could spin up an OpenBSD virtual machine in a few minutes flat, and give it bridged access to the host network card (i.e. it gets its own local IP address from your router as if it was a real physical separate machine). You can then forward the appropriate port to the VM using your router, and the guest OS would handle the security - and any breach. More isolated that way.

With OpenBSD, the httpd server is built right in and it's an absolute breeze to configure and use, even to add SSL to. OpenBSD is so secure, when people see machines running it at DEFCON they just tut and look for something else to hack. True story. :p

If it doesn't have to be over http, there are more secure and easier ways. What about vsftpd (very secure ftp daemon)? Or better yet, set up a directory for shares, set up an SSH server with a remote user allowed access to only that folder and with authentication by key only (ed25519), and then have them sftp or scp the files over. It's even possible to do it all through a nice GUI - see Cyberduck et al. There's also stuff like Bittorrent Sync. Or spin up something in Docker and have the data files chrooted to a directory mounted in the container, with the ports passed through so the remote person can log in and grab them, but the OS is actually just basically empty with only that one directly available. There's loads of options with layers of security to choose from, rather than dumping everything over plain HTTP and opening your (Windows?) machine directly to the Internet...

I run the free software hfs http file server and i use stunnel os is win server 2008r2. I use stock router isp provided and forward port 443 to the server. Port 80 is blocked on the server too so local machines cant access the http server unless they use port 443 or https in browser. I get certificate error but thats normal for home made certs lol.
The banning of ips doing brute force i wanted but with stunnel the http server software only sees connections coming from local ip of 127,0,0 loopback so cant ban that.
Stunnel doesnt have built in banning since its just the middle man handling encryption.
 
Last edited:
Soldato
Joined
3 Jun 2005
Posts
3,048
Location
The South
OpenBSD is so secure...

Compared to? As there have been vulnerabilities for OpenBSD and it doesn't negate vulnerabilities that exist with services running on top of OpenBSD.

@Cyber-Mav - As said, it's most likely bot activity but if don't have to expose it directly and can have it sitting behind VPN then all the better.

Edit - Missed the bit about VPN being blocked. In which case, keep it all up-to-date and keep an eye on logs etc.
 
Associate
Joined
19 Oct 2002
Posts
1,067
Location
Welwyn Garden City
As you know how to use stunnel then you can wrap OpenVPN in TCP mode with stunnel to hide the VPN (or just change the VPN port if they arent using DPI to determine what traffic is VPN traffc)
 
Soldato
Joined
18 Aug 2007
Posts
9,689
Location
Liverpool
Compared to? As there have been vulnerabilities for OpenBSD and it doesn't negate vulnerabilities that exist with services running on top of OpenBSD.

Well done for cutting a sentence in half and quoting it out of context. :p OpenBSD has vulnerabilities, all software does. The difference is in how they're proactively handled and found, the auditing system, and the underlying protections which mitigate them should they happen or be exploited. For example, daemons running in chroot by default, W^X and other memory protections, pledge and unveil to sandbox running programs and daemons and restrict their filesystem and memory access, full disk encryption (including bootloader) by default, userland and privilege separation, disabling Intel HT by default... Not to mention being responsible for openssh, libressl and many other secure implementations. OpenBSD is very much proactively secure, and is very nicely documented and easy to work with - hence the suggestion. The OP could just as easily spin something up in Docker (which brings its own security implications) or chroot a user into a folder via OpenSSH* (another OpenBSD invention) as I said.


* Thank you visibleman. :p
 
Last edited:
Soldato
Joined
3 Jun 2005
Posts
3,048
Location
The South
As you know how to use stunnel then you can wrap OpenVPN in TCP mode with stunnel to hide the VPN (or just change the VPN port if they arent using DPI to determine what traffic is VPN traffc)

@Cyber-Mav, definitely worth trying this as it'll be the better option over exposing services unnecessarily.

...SSH (another OpenBSD invention)...

[Pedantic]OpenSSH rather than SSH[/Pedantic] ;)
 
Back
Top Bottom