Trusted domain error from external - security issue?

horizon432 · August 1, 2018, 6:56pm

Hi,
I am getting a lot of trusted domain errors since installing Nextcloud on my personal domain. I wonder if this is something to worry about and also if there’s a way to block these or add additional protection? I’m especially concerned that they found out the private IP of my AWS instance (first row).
Thank you!
Horizon

{"reqId":"HDxeHBU63AX4vRdiqdpA","level":2,"time":"2018-07-31T22:30:57+00:00","remoteAddr":"178.73.215.171","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"178.73.215.171\" tried to access using \"ip-172-**-*-*.eu-central-1.compute.internal\" as host.","userAgent":"--","version":"13.0.5.2"}
{"reqId":"z89o9jhr6WgnbmbZFzRV","level":2,"time":"2018-08-01T03:42:17+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"www.group-ib.ru\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"9cOIoBXTxlANS8NZTtcU","level":2,"time":"2018-08-01T03:42:18+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"bhf.io\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"bqJfmbe04tacuNGLu9p3","level":2,"time":"2018-08-01T03:42:18+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"darkpro.ws\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"ROwExrX3w6DmfTeRzCPO","level":2,"time":"2018-08-01T03:42:18+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"piratebuhta.cc\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"crPyqGwNdPosnPeS56yT","level":2,"time":"2018-08-01T03:42:19+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"troyhack.xyz\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"EjtazIfYphzh56pf0xUg","level":2,"time":"2018-08-01T03:42:19+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"blackbiz.ws\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"cp04IRSnnvLVnT7BOD4G","level":2,"time":"2018-08-01T03:42:20+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"rescator.cm\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"5nLWS86r6M06NRvCAzQQ","level":2,"time":"2018-08-01T03:42:20+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"briansclub.at\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"xVUd09d4LnfgKi5gagK2","level":2,"time":"2018-08-01T03:42:21+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"goldendumps.cc\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"2V5DJIpyQrQVVXMUACh3","level":2,"time":"2018-08-01T03:42:21+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"buybestbiz.net\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"IOwc8TqMIxRQ90nrM4hs","level":2,"time":"2018-08-01T03:42:22+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"swipe.bz\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"KNFVyZO8Y4iAfr374CbK","level":2,"time":"2018-08-01T03:42:22+00:00","remoteAddr":"5.8.10.202","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"5.8.10.202\" tried to access using \"blackpass.cc\" as host.","userAgent":"Go-http-client\/1.1","version":"13.0.5.2"}
{"reqId":"wce9MIfLWUku8iycmZ7X","level":2,"time":"2018-08-01T14:14:57+00:00","remoteAddr":"74.82.47.3","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"74.82.47.3\" tried to access using \"**.***.***.**\" as host.","userAgent":"--","version":"13.0.5.2"}

tflidd · August 2, 2018, 7:01am

Looks for me like someone tries to scan your server with a script trying different hostnames. I suppose they try different hostnames to access the default virtual host which might provide services which are unvisible for specific domains (webserver statistics, admin-interfaces etc.).

You can create a rule for Fail2ban-rule to block such hosts. There can be false positives since the same IP can be used by more than one user (e.g. carrier-grade NAT).