Abuse complaint : netscanout

timconsidine

I'm hosting my Cloudron on Hetzner.
I have not made any major changes in the last few days.
Suddenly received abuse complaint from Hetzner saying that something is doing a portscan.
Any ideas on :

• what might be doing this?
• how can I track down the app / process ?

I have done netstat -anp but can't process the tonne of info generated.

I need to make a response which will depend on what app is doing this.
Info from Hetzner is poor (well maybe it's all they have) :

> ##########################################################################
> #               Netscan detected from host    88.99.143.85               #
> ##########################################################################
>
> time                protocol src_ip src_port          dest_ip dest_port
> ---------------------------------------------------------------------------
> Thu May  4 15:11:55 2023 TCP    88.99.143.85 50686 =>         1.2.3.4 80
> Thu May  4 15:11:58 2023 TCP    88.99.143.85 50686 =>         1.2.3.4 80
> Thu May  4 15:11:51 2023 TCP    88.99.143.85 36084 =>         6.6.6.6 80
> Thu May  4 15:11:49 2023 TCP    88.99.143.85 47388 =>       10.0.0.21 80
.... and so on

BrutalBirdie

Using Meeting software a lot? Like Jitsi and stuff?

timconsidine

I have jitsi installed but I haven't used it in days.

Trying to analyse ps -aux but it's 1200 lines, most of it is familiar, needle in haystack time.

jdaviescoates

@timconsidine said in Abuse complaint : netscanout:

I have jitsi installed but I haven't used it in days.

Can people start meetings without having to login? If so, other people may be using it?

timconsidine

@jdaviescoates said in Abuse complaint : netscanout:

Can people start meetings without having to login?

That's a very good point.
Thank you
Let me check.

timconsidine

The only other thing I can guess at is that I reinstalled SYNCTHING.
(so I lied when I said I didn't change much )
The new installation has a Global Discovery field set to default which I understand means that it will hunt out for friends to talk to.
I've changed this to a specific value (the app address itself only) and disabled relaying.
Seems still to work, but will test further.

timconsidine

And I have deleted Jitsi for the moment.
Not being used much currently.
Will reinstall when I have time to get my head securing it.
So will close this now.