Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

unknown connection on my raspberry connected on the internet

I connected my Raspberry PI model B on my internet box (at SFR in France). My box redirect all request on its port 8080 to my raspberry on its port 8080 where I have an application which listen on port 8080. To access to my raspberry application which is a website, you must type the IP adress in your web explorer or type the DTDNS adress and access on the port 8080. (myip:8080 or myadress.dtdns.net:8080) I log every connection on my raspberry and then I have this result (all IP adress is unknown for me.

My question is : What are all these connections and where do they come from? Is it bot or other thing ? If you have any explanation, I'll take it. Is there some bot that scans every port on every IP address in the world? ?

years-month-day hours:minute:seconds : IP adress call ...
2016-03-30 07:48:47 : 93.174.93.94 call GET /
2016-03-30 11:19:13 : 202.62.86.140 call HEAD /manager/html
2016-03-30 15:41:23 : 104.148.71.133 call GET http://azenv.net/
2016-03-30 15:41:23 : 104.148.71.133 call GET http://proxyworld.perso.sfr.fr/azenv.php
2016-03-30 15:41:42 : 104.148.71.133 call GET http://domkrim.com/av.php
2016-03-30 15:41:43 : 104.148.71.133 call GET http://azenv.net/
2016-03-30 15:41:43 : 104.148.71.133 call GET http://proxyworld.perso.sfr.fr/azenv.php
2016-03-30 15:42:03 : 104.148.71.133 call GET http://proxyworld.perso.sfr.fr/azenv.php
2016-03-30 20:01:28 : 210.91.40.88 call GET //script
2016-03-30 20:01:29 : 210.91.40.88 call GET //script
2016-03-30 20:01:33 : 210.91.40.88 call GET //script
2016-03-30 20:01:35 : 210.91.40.88 call GET //script
2016-03-30 20:12:00 : 93.174.93.94 call GET /

2016-03-31 02:05:25 : 93.174.93.94 call GET /
2016-03-31 02:30:48 : 104.148.71.133 call GET http://www.proxy-listen.de/azenv.php
2016-03-31 02:30:48 : 104.148.71.133 call GET http://www.proxy-listen.de/azenv.php
2016-03-31 02:31:08 : 104.148.71.133 call GET http://www.mesregies.com/azz.php
2016-03-31 02:31:08 : 104.148.71.133 call GET http://domkrim.av/.php
2016-03-31 02:31:08 : 104.148.71.133 call GET http://www.proxy-listen.de/azenv.php
2016-03-31 02:31:28 : 104.148.71.133 call GET http://www.proxyjudge.info/azenv.php

2016-03-31 08:24:50 : 222.186.34.155 call GET https://m.baidu.com/
2016-03-31 08:24:52 : 222.186.34.155 call GET https://m.baidu.com/
2016-03-31 08:24:52 : 222.186.34.155 call GET https://m.baidu.com/

2016-04-09 04:10:59 : 91.236.75.4 call GET http://www.google.com/reader/about/
2016-04-09 09:42:26 : 93.174.93.94 call GET /
2016-04-09 10:23:18 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif
2016-04-09 10:23:19 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif
2016-04-09 10:23:21 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif
2016-04-09 10:23:25 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif
2016-04-09 10:23:33 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif
2016-04-09 10:23:49 : 80.82.78.38 call GET http://www.baidu.com/cache/global/img/gs.gif
2016-04-09 19:57:09 : 146.0.43.8 call GET /
2016-04-09 20:57:08 : 93.174.93.94 call GET /
2016-04-10 03:16:35 : 185.92.72.15 call GET /
2016-04-10 03:16:35 : 185.92.72.15 call GET /HNAP1/
2016-04-10 11:52:40 : 91.236.75.4 call GET http://www.google.com/reader/about/ 
like image 497
dada17xs Avatar asked Apr 10 '16 13:04

dada17xs


People also ask

What connections are on a Raspberry Pi?

Raspberry Pi 4 Tech Specs2 USB 3.0 ports; 2 USB 2.0 ports.

How do I access my Raspberry Pi outside local network?

Connect Raspberry Pi Remotely Over Internet Just click the terminal icon next to your device. It will open up a new window for SSH access to your device. Provide your Raspberry Pi login credentials there to access your Pi shell. You'll be logged into your device and put in a shell prompt.

Can Raspberry Pi connect to public WiFi?

use a serial cable with your Raspberry Pi. setup a public WiFi network in the command line. use the command line browser w3m to connect to a public WiFi network.


1 Answers

they are trying to find vulnerability in your server. I see those every day in my server.

Remember: not indexing an IP address is not an security improvement: botnets which are trying to attack users don't care about dns, but ip. It's like your home: your street and your address are public, but it's better keeping doors closed.

What i see every day are bots which make dictionary attacks on ssh and common vulnerabilities checks on 80 and 8080 ports.

Very often, bots are iot devices with upnp enabled and DEFAULT admin login unchanged. Sometimes, they are raspberry pi (and similar) with default login data.

So, the best counter-measure you can do is change default logins, disable upnp if you don't need and, if you can do, disable login for common users (like root, admin, pi, ecc)

Adding some characters before your username (like changing pi to user_pi) can help you against dictionary attacks (pre-programmed username/password combinations), but an strong password is the best. Using an localized name won't work: sometimes bots try different dictionary according to your ip location.

like image 186
Marco P Avatar answered Nov 15 '22 03:11

Marco P