There is an annoying amount of rubbish traffic to my website and below is a selected (grep’ed) portion of it.<\/p>\n
The documentation URL logged describes the masscan tool as similar to nmap, its purpose is to find open ports on internet sites. <\/p>\n
[root@vosprey3 httpd]# grep masscan access_log<\/em>\r\n163.172.47.200 - - [01\/Dec\/2019:06:16:45 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n80.241.221.67 - - [01\/Dec\/2019:07:12:01 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n159.65.11.106 - - [01\/Dec\/2019:08:08:35 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n149.129.243.159 - - [01\/Dec\/2019:11:40:56 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n173.249.49.151 - - [01\/Dec\/2019:13:54:12 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n79.143.188.161 - - [01\/Dec\/2019:17:58:22 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n146.196.55.181 - - [01\/Dec\/2019:20:09:34 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n159.65.187.159 - - [01\/Dec\/2019:21:18:40 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n202.168.64.24 - - [02\/Dec\/2019:00:35:20 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n206.189.237.232 - - [02\/Dec\/2019:01:26:36 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n173.249.51.194 - - [02\/Dec\/2019:09:43:41 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n52.6.12.150 - - [02\/Dec\/2019:11:34:08 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n167.99.40.21 - - [02\/Dec\/2019:12:29:29 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n167.99.40.21 - - [02\/Dec\/2019:12:29:35 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n138.68.247.104 - - [02\/Dec\/2019:18:51:55 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n207.180.220.8 - - [02\/Dec\/2019:22:26:47 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n142.93.187.70 - - [02\/Dec\/2019:22:35:14 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n5.189.188.207 - - [02\/Dec\/2019:23:57:36 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n5.189.134.236 - - [03\/Dec\/2019:05:25:31 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n165.227.4.106 - - [03\/Dec\/2019:06:22:25 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n167.99.130.208 - - [03\/Dec\/2019:06:24:38 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n207.180.224.136 - - [03\/Dec\/2019:08:07:02 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n5.189.162.164 - - [03\/Dec\/2019:09:43:27 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n207.180.213.201 - - [03\/Dec\/2019:11:50:21 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n51.38.239.33 - - [03\/Dec\/2019:12:14:56 +1300] \"GET \/ HTTP\/1.0\" 200 4418 \"-\" \"masscan\/1.0 (https:\/\/github.com\/robertdavidgraham\/masscan)\"\r\n<\/pre>\nSimply because the requests are coming from so many different ip-addresses it can be assumed they are from infected PCs or a hacker toolkit. Some may be requests from semi-legitimate port mapping sites like shodan, but I don’t want my ports mapped.<\/p>\n
Interestingly my firewall rules are logging these but for different reasons, of the last three addresses looks like timeout-outbound\/incomplete-handshake-inbound\/timeout-outbound. All incomplete requests anyway, and all to port 80 (none to the other http port 443 or any other open ports) so a rather selective scan.<\/p>\n
\r\nDec 3 09:43:34 vosprey3 kernel: DROPPED IN= OUT=ens3 SRC=192.168.1.193 DST=5.189.162.164 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=13052 DF PROTO=TCP SPT=80 DPT=61000 SEQ=1082931877 ACK=1097398385 WINDOW=29200 RES=0x00 ACK PSH FIN URGP=0\r\nDec 3 11:50:51 [localhost] kernel: ABORTED IN=ens3 OUT= MAC=52:54:00:38:ef:48:9c:d6:43:ab:90:a3:08:00 SRC=207.180.213.201 DST=192.168.1.193 LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=6478 PROTO=TCP SPT=61000 DPT=80 SEQ=2892097713 ACK=467644449 WINDOW=1200 RES=0x00 RST URGP=0\r\nDec 3 12:15:02 [localhost] kernel: DROPPED IN= OUT=ens3 SRC=192.168.1.193 DST=51.38.239.33 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=62338 DF PROTO=TCP SPT=80 DPT=61000 SEQ=2386804186 ACK=3821347452 WINDOW=29200 RES=0x00 ACK PSH FIN URGP=0\r\n<\/pre>\nThey are just port scanning requests, definately not web-crawlers as they never request more than the head \/ url. And as they only request the \/ url I cannot use apache rewrite rules to blacklist the ip-addresses in real-time.<\/p>\n
I have added a check for those requests into my daily batch job that scans the access logs so the ip-addresses performing those scans will still be added automatically into my drop rules for misbehaving source-ips, if a little slower than real-time.<\/p>\n","protected":false},"excerpt":{"rendered":"
There is an annoying amount of rubbish traffic to my website and below is a selected (grep’ed) portion of it. The documentation URL logged describes the masscan tool as similar to nmap, its purpose is to find open ports on … Continue reading