I noticed few days ago that my local network was unstable. So i ran nethogs, to show the activity of my Nextcloud server. It’s installed on a raspberry Pi, up-to-date both nc & ncp, with UFW activated. Here are the logs:
? root 192.168.1.100:571-89.248.168.107:48526 0.000 0.012 KB/sec
? root 192.168.1.100:1324-94.102.56.235:48614 0.000 0.000 KB/sec
? root 192.168.1.100:23580-85.209.0.115:42142 0.000 0.000 KB/sec
? root 192.168.1.100:3217-92.118.37.82:57718 0.000 0.000 KB/sec
? root 192.168.1.100:445-37.106.136.38:58621 0.000 0.000 KB/sec
Where 192.168.1.100 is obviously the server IP on my local network.
Is there anything I can do to block these calls ? Should I worry about the intergrity of my server ?
Hi everyone, thank you for your answers.
Fail2ban is already loaded and running.
I can block IPs with UFW as suggested, but there are so many… The best thing to do would be to find the source of the problem. Do you have any idea on how I could find this out ?
I block them a lot… When I have had rule to block IPs for a 7+ Days I always have around 400 IPs blocked. Now I have rules for 24+ Hours and it is around 50 IPs dynamically blocked:
Also after block I report those IPs to AbuselPDB. A lot of GETs from those IPs does not do anything good and are only bots that trying to use known security bugs of routers/webservers/services. E.g.
GET /manager/text/list HTTP/1.1
GET /000000000000.cfg HTTP/1.1
GET /mysql/admin/index.php?lang=en HTTP/1.1
GET /tftp/SIPDefault.cnf HTTP/1.1
POST /GponForm/diag_Form?style/ HTTP/1.1
Well, thank you for your answers. If I understand, nethogs is showing requests coming to my Raspberry, not coming out of it. So, the issue is coming from my router, and I must be more restrictive in port attribution. Am I right ?