3

I just installed UFW firewall on my Ubuntu VPS, and now I my log shows a lot of incoming traffic punting on port 23. Like this:

kernel: [  670.832245] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=106.104.138.28 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=43 ID=2909 PROTO=TCP SPT=27941 DPT=23 WINDOW=44045 RES=0x00 SYN URGP=0 
kernel: [  716.494214] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=106.104.138.28 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=44 ID=2909 PROTO=TCP SPT=27941 DPT=2323 WINDOW=44045 RES=0x00 SYN URGP=0 
kernel: [  716.957063] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=106.104.138.28 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=43 ID=2909 PROTO=TCP SPT=27941 DPT=23 WINDOW=44045 RES=0x00 SYN URGP=0 
kernel: [  746.837251] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=106.104.138.28 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=43 ID=2909 PROTO=TCP SPT=27941 DPT=23 WINDOW=44045 RES=0x00 SYN URGP=0 
kernel: [  752.049313] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=106.104.138.28 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=43 ID=2909 PROTO=TCP SPT=27941 DPT=23 WINDOW=44045 RES=0x00 SYN URGP=0 
kernel: [  771.616696] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=106.104.138.28 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=43 ID=2909 PROTO=TCP SPT=27941 DPT=23 WINDOW=44045 RES=0x00 SYN URGP=0 
kernel: [  855.170118] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=109.201.140.38 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=58674 DPT=81 WINDOW=65535 RES=0x00 SYN URGP=0 
kernel: [  862.272265] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=118.68.70.89 DST=xxx LEN=40 TOS
=0x00 PREC=0x00 TTL=237 ID=5721 PROTO=TCP SPT=15509 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
kernel: [  883.299636] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=176.8.70.68 DST=xxx LEN=40 TOS=
0x00 PREC=0x00 TTL=245 ID=51761 PROTO=TCP SPT=17540 DPT=23 WINDOW=21654 RES=0x00 SYN URGP=0 
kernel: [  908.720735] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=122.117.201.94 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=45 ID=65516 PROTO=TCP SPT=34958 DPT=23 WINDOW=37782 RES=0x00 SYN URGP=0 
kernel: [  951.441094] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=119.179.205.34 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=233 ID=37432 PROTO=TCP SPT=29267 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 
kernel: [ 1019.290302] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=187.161.189.63 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=231 ID=33719 PROTO=TCP SPT=46167 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
kernel: [ 1097.190270] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=58.123.113.149 DST=xxx LEN=122
TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=47005 DPT=1900 LEN=102 
kernel: [ 1098.860511] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=125.111.4.204 DST=xxx LEN=40 TO
S=0x00 PREC=0xE0 TTL=234 ID=5380 PROTO=TCP SPT=20370 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
kernel: [ 1129.143276] [UFW BLOCK] IN=eth0 OUT= MAC=fa:16:3e:e6:7f:12:5e:f8:f0:c1:28:31:08:00 SRC=148.75.152.245 DST=xxx LEN=40 T
OS=0x00 PREC=0x00 TTL=239 ID=8596 PROTO=TCP SPT=1331 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

What is this and how can I stop it?

amc
  • 7,142
Letizia Rossi
  • 33

3 Answers3

3

Port 23 is for telnet connections. Telnet is the old protocol to open a text terminal on another machine and run commands there. Old and totally insecure.

Since you are on a VPS, you are quite simply being attacked by many machines from all over the world. They permanently try to open Telnet (and SSH) connections on all machines they can find, and there is nothing you can do about them. Just make sure you only run services that you truly need, and that those services are well secured. In particular, use a very strong SSH password, and preferably, disable SSH passwords and use a public/private key pair.

If the log bothers you, you can quite simply remove the firewall rule. Just make sure you have no program listening on port 23, and you will be fine.

The command netstat -l -n -A inet will list all Internet ports that are currently open on your server. On a basic server, you should only have port 22 (SSH), port 123 (NTP) and ports for the services you explicitly intend to offer (for example, port 80 and/or 443 for a web server).

Adrien Beau
  • 1,916
  • I have only 80, 443 and SSH port enabled, nothing more...So, this is just an scanner activity? – Letizia Rossi Dec 15 '16 at 12:48
  • Correct. You will also soon notice thousands of connection attempts over SSH, so make sure you have an excellent password or, even better, use public/private key. You can also install Fail2ban, which scans log files and automatically bans IPs that are attacking you (but be careful not to lock yourself out of your machine). – Adrien Beau Dec 15 '16 at 12:51
1

Looking at those src-ip, connections seem to come outside your own network. There isn't much you can do, so just keep your firewalls up and don't send responses to those requests.

My bet is that they are looking for misconfigured modems to hi-jack.

Ville
  • 129
1

Welcome to the Internet!

Anybody in the world can try to connect to your server on any port they like, and see what happens. You cannot stop them, but you can use a firewall to make sure that all they get is a "connection refused" message, like this:

firas@momiji ~ % telnet -4 itsuki.fkraiem.org 23
Trying 91.121.157.10...
telnet: Unable to connect to remote host: Connection refused

This seems to be what you are doing, so that's great, you can safely carry on with your business.

fkraiem
  • 12,555
  • 4
  • 35
  • 40