stephen-soltesz
commented
1 year ago Note: the mechanism of implementation need not be literally port scanning. We could have sidecar containers (maybe they already exist) to look at /proc/net/tcp or tcp6 for listening ports on public addresses and export metrics that are collected normally.
There is a short list of public ports on M-Lab nodes. Ideally, we would have a continuous monitoring mechanism that reported all listening ports and alerted when any unexpected ports became open. This might either be due to a new service (which we expect) or an undocumented feature of a new service (which we don't expect) or (worst case) some compromise.