All geek questions in one place

Unknown connection on my raspberry connected to the Internet.

I plugged in my Raspberry B PI model on my online box (at SFR in France). My box redirects the entire request to port 8080 of my raspberries to port 8080, where I have an application that listens on port 8080. To access my raspberry application, which is a website, you must enter the IP address in your web browser or enter the address and access to DTDNS on port 8080. (myip: 8080 or myadress.dtdns.net:8080) I register every connection on my raspberry, and then I have this result (all IP addresses are unknown to me.

My question is: what are all these connections and where did they come from? Is it a bot or something else? If you have any explanation, I will take it. Is there any bot that scans every port on every IP address in the world?

years-month-day hours:minute:seconds : IP adress call ... 2016-03-30 07:48:47 : 93.174.93.94 call GET / 2016-03-30 11:19:13 : 202.62.86.140 call HEAD /manager/html 2016-03-30 15:41:23 : 104.148.71.133 call GET http://azenv.net/ 2016-03-30 15:41:23 : 104.148.71.133 call GET http://proxyworld.perso.sfr.fr/azenv.php 2016-03-30 15:41:42 : 104.148.71.133 call GET http://domkrim.com/av.php 2016-03-30 15:41:43 : 104.148.71.133 call GET http://azenv.net/ 2016-03-30 15:41:43 : 104.148.71.133 call GET http://proxyworld.perso.sfr.fr/azenv.php 2016-03-30 15:42:03 : 104.148.71.133 call GET http://proxyworld.perso.sfr.fr/azenv.php 2016-03-30 20:01:28 : 210.91.40.88 call GET //script 2016-03-30 20:01:29 : 210.91.40.88 call GET //script 2016-03-30 20:01:33 : 210.91.40.88 call GET //script 2016-03-30 20:01:35 : 210.91.40.88 call GET //script 2016-03-30 20:12:00 : 93.174.93.94 call GET / 2016-03-31 02:05:25 : 93.174.93.94 call GET / 2016-03-31 02:30:48 : 104.148.71.133 call GET http://www.proxy-listen.de/azenv.php 2016-03-31 02:30:48 : 104.148.71.133 call GET http://www.proxy-listen.de/azenv.php 2016-03-31 02:31:08 : 104.148.71.133 call GET http://www.mesregies.com/azz.php 2016-03-31 02:31:08 : 104.148.71.133 call GET http://domkrim.av/.php 2016-03-31 02:31:08 : 104.148.71.133 call GET http://www.proxy-listen.de/azenv.php 2016-03-31 02:31:28 : 104.148.71.133 call GET http://www.proxyjudge.info/azenv.php 2016-03-31 08:24:50 : 222.186.34.155 call GET https://m.baidu.com/ 2016-03-31 08:24:52 : 222.186.34.155 call GET https://m.baidu.com/ 2016-03-31 08:24:52 : 222.186.34.155 call GET https://m.baidu.com/ 2016-04-09 04:10:59 : 91.236.75.4 call GET http://www.google.com/reader/about/ 2016-04-09 09:42:26 : 93.174.93.94 call GET / 2016-04-09 10:23:18 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif 2016-04-09 10:23:19 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif 2016-04-09 10:23:21 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif 2016-04-09 10:23:25 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif 2016-04-09 10:23:33 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif 2016-04-09 10:23:49 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif 2016-04-09 19:57:09 : 146.0.43.8 call GET / 2016-04-09 20:57:08 : 93.174.93.94 call GET / 2016-04-10 03:16:35 : 185.92.72.15 call GET / 2016-04-10 03:16:35 : 185.92.72.15 call GET /HNAP1/ 2016-04-10 11:52:40 : 91.236.75.4 call GET http://www.google.com/reader/about/
+5
source share
1 answer

they are trying to find a vulnerability on your server. I see them every day on my server.

Remember: not indexing an IP address does not improve security: botnets that try to attack users do not care about DNS, but ip. It looks like your home: your street and your address are public, but it is better to keep the doors closed.

What I see every day are bots that do verbal attacks on ssh and general vulnerability checks on ports 80 and 8080.

Very often, bots are iot devices with upnp enabled and the DEFAULT administrator name unchanged. Sometimes this is a raspberry pi (and similar) with default login information.

So, the best countermeasure you can do is change the default for logging in, turn off upnp if you do not need it, and if you can, turn off the login for regular users (e.g. root, admin, pi, ecc )

Adding some characters to your username (e.g. changing pi to user_pi) may help you with dictionary attacks (pre-programmed combinations of username and password), but the best password is the best. Using a localized name will not work: sometimes bots use different dictionaries according to your IP address.

+5
source

Source: https://habr.com/ru/post/1246814/

More articles:


All Articles