On 20/02/2021 21.14, Dave Howorth wrote:
On Sat, 20 Feb 2021 20:35:23 +0100 (CET) "Carlos E. R." <> wrote:
I was playing some time ago with a little server, running Apache, in a dynamic home address.
And using a very high port, to avoid scans.
I forgot about it.
Then the other day, I wanted to share a file using my server, and noticed that Apache was being hit, with "stupid" requests. Well, not stupid, they are probably probing vulnerabilities.
What it surprises me is that they hit such a high port, they have to be probing every port.
(The router is set to redirect incoming tcp on that high port to the inside server at the same high port)
My IP address changed on the 7 and 8 of February, the hits increase on the 10th. It is possible that the previous user of that IP had a known domain.
Unlikely, unless you chose a well-known high number. Switch to a random one.
Good idea, I will do that.
Should I worry?
Depends what you've got being served by Apache and how well exploit-proofed it is.
I serve nothing, it is just a static index.html with a "hello you" line.
Should I try to implement something in the firewall that blocks IPs that attempt on vulnerabilities, somehow? If there is such a tool.
Why not just tell Apache to refuse all requests except those from your own IP addresses?
I don't have "my own IP address" :-)
Or just close the port in the router if you're not using it.
Possible, certainly. I was simply not expecting anyone to find it.
Can I know if they are attempting to access the URL by domain name or by IP address? Ie, what do they write exactly on the "browser". Or script.
No, requests are by IP. Their browser or whatever does the lookup. You can have Apache do a reverse lookup to see their domain if you wish.
Ah. No, not really interested in finding their domain. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)