NetHogs show suspicious IP

Hi,

I noticed few days ago that my local network was unstable. So i ran nethogs, to show the activity of my Nextcloud server. It’s installed on a raspberry Pi, up-to-date both nc & ncp, with UFW activated. Here are the logs:
? root 192.168.1.100:571-89.248.168.107:48526 0.000 0.012 KB/sec
? root 192.168.1.100:1324-94.102.56.235:48614 0.000 0.000 KB/sec
? root 192.168.1.100:23580-85.209.0.115:42142 0.000 0.000 KB/sec
? root 192.168.1.100:3217-92.118.37.82:57718 0.000 0.000 KB/sec
? root 192.168.1.100:445-37.106.136.38:58621 0.000 0.000 KB/sec

Where 192.168.1.100 is obviously the server IP on my local network.
Is there anything I can do to block these calls ? Should I worry about the intergrity of my server ?

Any help will be trully appreciated

I would:

sudo ufw insert 1 deny from 85.209.0.115

Make sure you dont block yourself or another regular user :wink:

1 Like

Fail2ban how to:

1 Like

Thanks, see you’ve some nice scripts there. This is automated by Nacho in NCP (-web or -config) > security > ufw/fail2ban

1 Like

Hi everyone, thank you for your answers.
Fail2ban is already loaded and running.

I can block IPs with UFW as suggested, but there are so many… The best thing to do would be to find the source of the problem. Do you have any idea on how I could find this out ?

Thank you again !

I block them a lot… When I have had rule to block IPs for a 7+ Days I always have around 400 IPs blocked. Now I have rules for 24+ Hours and it is around 50 IPs dynamically blocked:


Also after block I report those IPs to AbuselPDB. A lot of GETs from those IPs does not do anything good and are only bots that trying to use known security bugs of routers/webservers/services. E.g.

GET /manager/text/list HTTP/1.1 
GET /000000000000.cfg HTTP/1.1 
GET /mysql/admin/index.php?lang=en HTTP/1.1
GET /tftp/SIPDefault.cnf HTTP/1.1
POST /GponForm/diag_Form?style/ HTTP/1.1

Well, thank you for your answers. If I understand, nethogs is showing requests coming to my Raspberry, not coming out of it. So, the issue is coming from my router, and I must be more restrictive in port attribution. Am I right ?

It is up to you, personally I have config as following:

  • Open 22, 80, 443 and 10000 to all
  • Enable DNS, Emails etc.
  • Drop from router
  • Open ports for Samba, DLNA, etc. in LAN only.

Looks similar to this:

iptables -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,80,443
iptables -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 10000
#Accept answers on following ports
iptables -A INPUT -p tcp -m tcp -m multiport -m state --state ESTABLISHED,RELATED -j ACCEPT --sports 22,53,80,443,8080,6800,1080,7777,32400
# Emails In and Out
iptables -A INPUT -p tcp -m tcp -m multiport -m state -d 192.168.0.0/24 --state ESTABLISHED,RELATED -j ACCEPT --sports 25,143,465,587,993,995
#Accept Ping
iptables -A INPUT -p icmp -j ACCEPT
#DNS usw.
iptables -A INPUT -p udp -m udp -m multiport -j ACCEPT --sports 53,67,123
#LocalHOST
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
#Cut input from Router
iptables -A INPUT -s 192.168.0.1/32 -j DROP
#Samba
iptables -A INPUT -p tcp -m tcp -m multiport -s 192.168.0.0/24 -j ACCEPT --dports 139,445,587
iptables -A INPUT -p udp -m udp -m multiport -s 192.168.0.0/24 -j ACCEPT --dports 137,138,514
#MiniDLNA
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 8200 -j ACCEPT
#MiniDLNA
iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 1900 -j ACCEPT
#Aria2 WebUI
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 6800 -j ACCEPT
#PLEX
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 32400 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 32400 -j ACCEPT