search

stayintarkov / SIT.Manager.Avalonia

MIT License
39 stars 24 forks source link

Abusive IPs targeting SIT server #230

Closed Brydom closed 2 months ago

Brydom commented 2 months ago

Hi all, I know this isn't the correct repo for the server but issues are not supported on the others. These malicious IPs were previously not targeting our server prior to running the Docker image for SIT.

I was hoping I could get some insight as to why this is happening, or advice on how to prevent this. Looks like many of the IPs are linked to port scanning, hacking, ddos attacks.

Source IP Date Time Message
176.113.115.104 04/29 9:25am We've blocked a known malicious IP from Hong Kong from accessing this device.
103.56.61.130 04/28 9:03am We've blocked a known malicious IP from China from accessing this device.
185.161.248.148 04/28 5:39am We've blocked a known malicious IP from Russian Federation from accessing this device.
162.216.149.155 04/26 4:36am We've blocked a known malicious IP from United States from accessing this device.
18.216.180.159 04/26 3:55am We've blocked a known malicious IP from United States from accessing this device.
176.111.174.69 04/25 2:01pm We've blocked a known malicious IP from Russian Federation from accessing this device.
apfaffman commented 2 months ago

this is risk inherent with opening inbound ports. this is exactly why. just because you are hosting the server in a container does not affect the number of attackers trying to brute force their way in.

if anything, i might guess attackers have adjusted their methods to account for the sheer number of firewalls that are now forwarding 6969-6972 over the weekend.

Brydom commented 2 months ago

Thanks @apfaffman - I'm going to look into getting this in a VPS for now. May be a good idea for a maintainer to recommend something like that in docs.

My networking knowledge isn't the best, so it was unclear to me if this was something potentially abusive from SIT or just an inherent risk.

devbence commented 2 months ago

Hello, As far as I know these ports been/being used for different applications as well, so i would not go and make assumptions, a lot of companies have softwares and servers all over the world thats sole purpose is that: scan networks, and find something that should not be there, and let you/your provider know this is happening.

Everything we do is open source, and can be found in our repos, the external calls we make is solely to determine your IP address, we dont store that, we dont send them back to some nasty backend, these functions are there to provide seemless experience. (eg: no need to grab your ip yourself, it happens automagically, gets removed from logs, etc)

Feel free to DM me on discord any time (bullet1337), I can help you clarify it more if needed, and we surely can help with setting firewall rules, to let only those connect to that ports, who you play with.

since this is not being a Manager issue, I'm closing it.