I run a private webserver from home. last night around 3am i recieved a connected request from a strange IP address.
i keep track of the connections because my site is unlisted and is invite only. i keep track of logs in search of uninvited.
well, i track the address back and this is what I find: http://141.212.121.10/


Why am I receiving connection attempts from this machine?This machine is part of an Internet-wide network survey being conducted by computer scientists at the University of Michigan. The survey involves making TCP connection attempts to large subsets of the public IP address space and analyzing the responses. We select addresses to contact in a random order, and each address receives only a very small number of connection attempts. We do not attempt to guess passwords or access data that is not publicly visible at the address. The goal of this research is to better understand the global use of Internet protocols, including HTTPS and SSH.

To have your host or network excluded from future scans, please contact scan-admin@umich.edu.



why do i feel like my webserver has been surveyed for future monitoring?

Youve only got one? Attach a domain name to it and your computer will get literally tens of thousands of hits a day. Not from humans, but indexing web crawlers from the likes of google, yahoo, and every search engine pretty much everywhere on the planet, which includes China, Russia, Japan, Romania, etc. I get where you are coming from however, as some of those spiders dont play nice and want to execute every possible button from your pc. Others are less well intentioned.

I'll take it since you only had one, you dont have a domain name pointed to your IP?

Youve only got one? Attach a domain name to it and your computer will get literally tens of thousands of hits a day. Not from humans, but indexing web crawlers from the likes of google, yahoo, and every search engine pretty much everywhere on the planet, which includes China, Russia, Japan, Romania, etc. I get where you are coming from however, as some of those spiders dont play nice and want to execute every possible button from your pc. Others are less well intentioned.

I'll take it since you only had one, you dont have a domain name pointed to your IP?

no, i don't. i don't even use a static IP. i roam, and the people who come to my address are there by invitation.
that is why the sniff at my port was unexpected.

my site is unlisted and is invite only.

Interesting... What kind of web site do you run?

-t

access-list 1 deny ip 141.212.121.10 0.0.0.0

or

access-list 101 deny ip 141.212.121.10 255.255.255.255 any

:D

This is the same sort of stuff that Netcraft has been doing for years. I wouldn't worry about it.

http://news.netcraft.com/archives/2012/10/02/october-2012-web-server-survey.html

http://news.netcraft.com/wp-content/uploads/2012/09/ssloct20121.png

access-list 1 deny ip 141.212.121.10 0.0.0.0

or

access-list 101 deny ip 141.212.121.10 255.255.255.255 any

:D

You forgot to 'write mem'. ;)

why do i feel like my webserver has been surveyed for future monitoring?

That's going to happen regardless of what you do by virtue of the fact that you put it on a public network. What UMich is doing is apparently about as benign as can be - it would be appropriate for Internet engineering students to do this kind of thing in learning and research.

If this bothers you, you would be horrified to actually see a typical Internet service (not just HTTP) gets in the way of unwanted traffic. I had a service running on a machine that probably nobody here ever heard of, and on a non-standard port to boot. The logs for that service alone easily generated tens of thousands of unauthorized access attempts over the course of a few months. An actual HTTP server can get tens of thousands of these per day.

These days, I configure servers with the audience in mind. If my intended audience is US only, then it will be configured so that US IP addresses are the only ones whose packets will not be rejected. If my audience is international I still ban all Chinese, Russian, Indian, Brazilian and GERMAN IP addresses (along with a list of other countries too long to conveniently name them all) unless I specifically want to serve one of those countries.

Just like the vast majority of email is spam, the vast majority of Internet connection attempts are also hostile. If our government were even partially competent in this field it would have long ago filtered all network traffic from nations where cyber crimes could not be prosecuted effectively.

Interesting... What kind of web site do you run?

-t


mostly data. during the campaign i'd host pdf and such for activist.
beyond that, it is a private server with data exchange for friends and associates.

Interesting... What kind of web site do you run?

-t

Prostitution ring is my guess.

mostly data. during the campaign i'd host pdf and such for activist.
beyond that, it is a private server with data exchange for friends and associates.

Wish I'd known about you (well the site) before...

-t

Wish I'd known about you (well the site) before...

-t

now you know.
my bandwidth is limited to 1.5 Mb/S, and it is mostly ftp based. the other protocals allow for file manager, remote server management, etc.

now you know.
my bandwidth is limited to 1.5 Mb/S, and it is mostly ftp based. the other protocals allow for file manager, remote server management, etc.

K - how bout a PM. Wouldn't mind taking a peak... If you don't mind.

-t

K - how bout a PM. Wouldn't mind taking a peak... If you don't mind.

-t

will have to be later, back to work for me. lunch over.
if you don't hear from me, pm to remind me.
i'll create a ftp account for you with read access.

will have to be later, back to work for me. lunch over.
if you don't hear from me, pm to remind me.
i'll create a ftp account for you with read access.

THANK YOU!

-t

ftp account?
Don't you mean sftp?
ftp has plain text logins, any hacker can easily sniff and watch.

ftp account?
Don't you mean sftp?
ftp has plain text logins, any hacker can easily sniff and watch.

should i turn off ftp?
i have sftp and ftps running, but so is the lessor.

ok, changed to sftp. thanks for the security tip.

^^^
You're welcome. There is no reason to ever use ftp (port 21)

I got a message not too long ago on my screen that disappeared quickly.

It said Grip Test.
It Works.

I believe they were testing me with a GRIP TEST.

http://www.psych.umn.edu/psylabs/catcentral/pdf%20files/co75-01.pdf

^^^
You're welcome. There is no reason to ever use ftp (port 21)

That's not true. For public/anonymous downloads, FTP is just fine.

ftp account?
Don't you mean sftp?
ftp has plain text logins, any hacker can easily sniff and watch.

another thanks for the security tip.
i've had a brute force hack attempt from 202.117.3.104. a chinese address.
from 8 this morning til now he has been trying random logins.
just found my auto-block and ddos protection settings... cerberus makes a nice server suite.

someone on the campus of Xian Jiaotong University has been knocking.

anyone use backtrack linux?