![](https://seccdn.libravatar.org/avatar/150bb68600b6f4527c14c79e81e90f53.jpg?s=120&d=mm&r=g)
On Sat, 20 Feb 2021 20:35:23 +0100 (CET)
"Carlos E. R."
I was playing some time ago with a little server, running Apache, in a dynamic home address.
And using a very high port, to avoid scans.
I forgot about it.
Then the other day, I wanted to share a file using my server, and noticed that Apache was being hit, with "stupid" requests. Well, not stupid, they are probably probing vulnerabilities.
What it surprises me is that they hit such a high port, they have to be probing every port.
(The router is set to redirect incoming tcp on that high port to the inside server at the same high port)
My IP address changed on the 7 and 8 of February, the hits increase on the 10th. It is possible that the previous user of that IP had a known domain.
Unlikely, unless you chose a well-known high number. Switch to a random one.
Should I worry?
Depends what you've got being served by Apache and how well exploit-proofed it is.
Should I try to implement something in the firewall that blocks IPs that attempt on vulnerabilities, somehow? If there is such a tool.
Why not just tell Apache to refuse all requests except those from your own IP addresses? Or just close the port in the router if you're not using it.
Can I know if they are attempting to access the URL by domain name or by IP address? Ie, what do they write exactly on the "browser". Or script.
No, requests are by IP. Their browser or whatever does the lookup. You can have Apache do a reverse lookup to see their domain if you wish.
Excerpt from /var/log/apache2/access_log:
[snip]
- -- Cheers
Carlos E. R. (from 15.2 x86_64 at Telcontar)