The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

opendns port scanning

Discussion in 'Security' started by uk01, Jan 3, 2010.

  1. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Hi, we are a web host and have received alot of port scans to our new dedicated servers. Our firewall thinks requests from opendns are port scans and blocks the ip address 208.67.222.222.

    We researched further and found out they are not hackers, they are a reputable company. However, we wonder why so many requests are being sent to our servers. Its been 50+ within a 30minute period. So you can understand why our firewall blocks the ip. The port scanning uses port 53 dns port and UDP - random ports (which is what triggers the scanning)

    I know this forum is about cpanel but I thought this would be an issue to raise with so many hosts using whm with cfs firewall etc. I wonder if when a host blocks opendns ip's anyone using opendns can't access any of the websites stored with that host?

    I wonder if this is the reason so many users of opendns have problems accessing some websites? I wonder how many web hosts just leave this ip blocked, not knowing that it is for opendns.

    We would whitelist them, but need to understand first why this isn't something which is widely spoken of. I've spent hours on the internet and can't really find an info, it surprises me that this isn't an issue which opendns have a page on their site about - info for webhosts?

    My datacentre added the ips to the csf allow list but within minutes it blocked it again! But why are they port scanning in the first place? It says on the small bits of info I can find on their website, it is not port scans, they are answering requests at a different port or something, but who's making the requests, we didn't have this problem with the vps's?
     
    #1 uk01, Jan 3, 2010
    Last edited: Jan 3, 2010
  2. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    update

    hi, got a rather sarcastic reply from a user at opendns, however he does provide some info once I get through his sarcasm...
    OpenDNS Community > Forums > Port Scanning

    It seems that what is triggering the port scans, is opendns responding to dns lookups by our server by existing web programs doing DNS lookups, especially reverse ones, e.g. against DNSBLs to prevent spam etc. We have recently turned on the spam database checks in csf firewall, and the amount of spam is drastically reduced, maybe it is this that is generating the dns lookups?

    FOUND THIS - IS THIS A VIABLE SOLUTION?
    Sysadmin: Iptables Block or open DNS / bind service port 53
     
    #2 uk01, Jan 3, 2010
    Last edited: Jan 3, 2010
  3. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    I am also receiving plenty of port scanning email alerts.

    Are these false positives, a configuration issue or a bug in CSF?

    Many thanks,

    - Vince
     
  4. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Same as me

     
  5. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    I'm hoping that either someone from cPanel support or CHirpy will reply to this topic and give us some insight.

    - Vince
     
  6. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    By stock-default cPanel and WHM does not include firewall rules that would block activity such as port scanning; this is something that a system administrator would have setup or have handled by the unique firewall (e.g., iptables) configuration used on the system. If it is unknown why the system is configured that way I recommend escalating the issue to the upstream data center or server hosting provider as they will have full access to assist directly.

    If using CSF, a third-party software product, to manage iptables rules I recommend referring to the vendor's official web site and their available support channels for in-depth assistance with the configuration:
    http://www.configserver.com/cp/csf.html
    http://forum.configserver.com/
    http://www.configserver.com/contact.html
    http://www.configserver.com/support.html
     
  7. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Hi Don,
    Thanks for replying, already mentioned we are using CSF:
    And have tried asking same question on the developers forum :-(

    Thanks
     
  8. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Given the provided log information it appears the firewall configuration lead to the traffic being blocked; if this was not desired I would believe it is a configuration issue within the firewall software and I would consider adjusting the firewall configuration so that it does not occur or is less likely to reoccur.
     
Loading...

Share This Page