0

I have a VPS, on which i have some docker containers running. From time to time i receive a message, similar to the one below, from my VPS provider that a NetScan abuse was detected from my server. As it can be seen, the source ip is my server's ip, using random ports and trying to scan different local IPs on a fixed port. Sometimes is a port used by my docker containers, sometimes not.

> #               Netscan detected from host     49.x.x.x               #
    > ##########################################################################
    >
    > time                protocol src_ip src_port          dest_ip dest_port
    > ---------------------------------------------------------------------------
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 51360 =>  172.20.162.202 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 40062 =>  172.20.162.216 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 41904 =>  172.20.162.221 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 56428 =>  172.20.162.230 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 59682 =>  172.20.162.249 5432

And the list goes on...

My question is : how can i find out what triggers such behaviour and how can i prevent it?

LE : my ip route result :

default via 172.31.1.1 dev eth0 proto dhcp metric 100
49.x.x.x dev eth0 proto kernel scope link src 49.x.x.x metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.31.1.1 dev eth0 proto dhcp scope link metric 100
172.255.0.0/24 dev br-632ed70d0651 proto kernel scope link src 172.255.0.1
172.255.1.0/24 dev br-0d6c24afff89 proto kernel scope link src 172.255.1.1
Vladimir Stanciu
  • 101
  • 4

1 Answers1

1

Don't try to route private IP addresses to the Internet. If that network is used by your Docker containers, make sure Docker is up and the virtual network was created correctly.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • That network is not used by any docker container, i have created a network using this subnet : 172.255.0.0/24, and every container has a static ip assigned from that subnet. I will add the present ip routes in the question. – Vladimir Stanciu Sep 16 '20 at 15:15
  • @VladimirStanciu Do you have a misconfigured container trying to connect to those addresses? – Michael Hampton Sep 16 '20 at 15:18
  • No, and even if i had, why would it use random ports as source port? – Vladimir Stanciu Sep 16 '20 at 15:20
  • 2
    @VladimirStanciu Everything does that. – Michael Hampton Sep 16 '20 at 15:22
  • Ok, i understand. I don't believe it's one of my containers, since sometimes it is indeed a destination port used by one of them, but in a case it was 6066 and no container listens on that port. Anyway, do you recommend using a firewall to prevent this netscan? Might it be some kind of external attack ? – Vladimir Stanciu Sep 16 '20 at 15:34
  • 3
    Hm, yes, you can block traffic out the Ethernet interface to private IP addresses, e.g. `iptables -I OUTPUT -o enp4s0 -d 172.16.0.0/12 -j REJECT` and repeat the rule for the other two RFC1918 ranges. – Michael Hampton Sep 16 '20 at 15:36
  • Thanks, will try out your solution. – Vladimir Stanciu Sep 16 '20 at 15:40