this post was submitted on 09 Jul 2025
38 points (60.9% liked)

Selfhosted

49434 readers
861 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
38
Got my first script kiddy (pawb.social)
submitted 4 days ago by MightBeFluffy@pawb.social to c/selfhosted@lemmy.world
55 comments fedilink hide all child comments
 

Nice big old port scan. Brand new server too. Just a few days old so there is nothing to find. Don't worry I contacted AWS. Stay safe out there.

top 50 comments
sorted by: hot top controversial new old
[–] irotsoma@lemmy.blahaj.zone 1 points 7 hours ago

My servers that have been around for a while get thousands of scans per day. In fact I am going to move away from crowdsec because I exceed the free limits on log entries within the first day of the month usually, sometimes just an hour or so. I mean it still works and blocks stuff, but the web portal is basically useless for any research into what I need to give attention to. That and the fact that you can no longer delete decisions on the web portal with the free account.

[–] Schwim@lemmy.zip 103 points 4 days ago (1 children)

It wasn't a script kiddy. It wasn't even a human. You are going to be a very busy individual if you decide to report every port scan you find.

[–] uzay@infosec.pub 24 points 3 days ago* (last edited 3 days ago) (1 children)

I think a lot of peope understandably misunderstand this post because it doesn't really explain the situation. After reading OP's comments I gather that OP put a new server online (not on AWS) and was immediately port scanned by a host that is on AWS. Since OP did not consent to being port scanned, they filled out an abuse complaint with AWS, the hoster the scan came from, out of principle, knowing that it probably won't do much. Which is totally fine if that is how you want to spend your time.

I think what most commenters thought is that OP was hosting with AWS and complained to them that someone else scanned their server. This does not seem to be the case.

[–] dgdft@lemmy.world -3 points 3 days ago* (last edited 3 days ago)

Absolutely not — the issue here is OP knowingly submitting false abuse reports.

Port scans of public hosts are not considered abuse per the CFAA or Amazon’s AUP without other accompanying signs of malicious intent.

https://aws.amazon.com/aup/

Amazon may take action against egregious mass-scanning offenders per the “…to violate the security, integrity, or availability of any user, network…” verbiage of the AUP, especially if they’re fingerprinting services or engaging in more sophisticated recon, but OP’s complaints are nowhere near meeting that threshold.

[–] atzanteol@sh.itjust.works 69 points 4 days ago (16 children)

You contacted Amazon over a port scan?

load more comments (16 replies)
[–] scrubbles@poptalk.scrubbles.tech 62 points 4 days ago (10 children)

Uh sorry dude, but no this isn't a script kiddy, these are bots that scan every IP address every day for any open ports, it's a constant thing. If you have a public IP, you have people, govs, nefarious groups scanning it. AWS will tell you the same as if you were hosting it locally, close up the ports, put it on a private network. Use a vpc and WAF in AWS' case.

I get scanned constantly. Every hour of every day dark forced attempt to penetrate our defences.

load more comments (10 replies)
[–] drkt@scribe.disroot.org 30 points 4 days ago (1 children)

I have 750 bots stuck in HTTP tarpits right now, and another 13 stuck in an SSH tarpit.

You can fight back! If we all fight back just a little bit, then mass-scanning and scraping becomes too expensive to do.

[–] cellardoor@lemmy.world 21 points 4 days ago (1 children)

If I showed you my WAN-side firewall logs you'd have a panic attack. I have a /29 block and about 10 scans tap one IP or another every second. It's part of being on the internet.

Your domestic home router experiences the exact same thing. Every moment of every day.

Will you report every scan? Every Chinese IP? Every US IP? It's completely common place to have someone 'knock on the door'.

Get off IPv4 anyway and onto IPv6. Good luck to them finding you by chance in there.

[–] Clearwater@lemmy.world 4 points 4 days ago

I ran a Tor relay on one of my spare servers for a while, and my god did that thing get port scanned. Even two years after I stopped hosting the relay, it was still getting pinged every 5-10 seconds (while my other servers tend to get pinged "only" once ever 20-30 seconds).

[–] cmnybo@discuss.tchncs.de 16 points 4 days ago (1 children)

Switch to IPv6 only and the port scans will go away. The address space is so big that port scanning is difficult, so the usual bots don't bother.

[–] KairuByte@lemmy.dbzer0.com 2 points 4 days ago (1 children)

Sure but there are just some things you can’t run over ipv6

[–] cellardoor@lemmy.world 2 points 4 days ago (1 children)

Such as?

[–] Chewy7324@discuss.tchncs.de 5 points 4 days ago (2 children)

Some game servers, some ISPs don't provide IPv6 for (some of) their customers.

[–] cellardoor@lemmy.world 1 points 3 days ago (1 children)

Ah game servers yes that's fair. I found that with Astroneer. If the ISP doesn't provide V6 though it's time to switch ISPs.

Majority of traffic to Google is now V6 in most countries. Globally it's still just under 50%. https://www.google.com/intl/en/ipv6/statistics.html

[–] WolfLink@sh.itjust.works 1 points 3 days ago (1 children)

If the ISP doesn't provide V6 though it's time to switch ISPs.

cries in USA

[–] cellardoor@lemmy.world 2 points 3 days ago

You could always get a tunneled V6 line but it's a lot of hassle for something you should have by default.

Us europoors may not have golden toilet seats and medical insurance, or V8 Chevvies, or American Size Mayonnaise, but we have our 2a02:7892:1234:::/64!!!!!

Monopolistic control of buildings by one ISP is illegal in most Euro countries :D

[–] sugar_in_your_tea@sh.itjust.works 1 points 4 days ago

Yup, we don't have IPv6, so we'd need a VPN or something to do that.

[–] TwiddleTwaddle@lemmy.blahaj.zone 10 points 4 days ago

Trying to learn here, are these SSH login attempts on the root user? If not, is it just the firewall logs?

[–] remon@ani.social 12 points 4 days ago (1 children)

Haha, I get one of those every other day.

[–] darcmage@lemmy.dbzer0.com 12 points 4 days ago (2 children)

Remember to also report ssh login attempts and unauthorized wordpress access (even if wordpress isn't installed).

[–] markstos@lemmy.world 8 points 4 days ago

Also, all spam messages.

[–] irmadlad@lemmy.world 7 points 4 days ago

I am reminded of a Richard Pryor skit in which he tells about a football player he knew who bit the fingers off of an opponent who was trying to gouge his eyes through his helmet. When Pryor asked him why he bit the guy's fingers off he said 'Everything outside the mask is his. Everything inside the mask is mine.'

load more comments
view more: next ›