How can i find what generates a NetScan Abuse and how to prevent it?

Vladimir Stanciu asked:

I have a VPS, on which i have some docker containers running. From time to time i receive a message, similar to the one below, from my VPS provider that a NetScan abuse was detected from my server.
As it can be seen, the source ip is my server’s ip, using random ports and trying to scan different local IPs on a fixed port. Sometimes is a port used by my docker containers, sometimes not.

> #               Netscan detected from host     49.x.x.x               #
    > ##########################################################################
    >
    > time                protocol src_ip src_port          dest_ip dest_port
    > ---------------------------------------------------------------------------
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 51360 =>  172.20.162.202 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 40062 =>  172.20.162.216 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 41904 =>  172.20.162.221 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 56428 =>  172.20.162.230 5432
    > Mon Sep 14 16:22:53 2020 TCP     49.x.x.x 59682 =>  172.20.162.249 5432

And the list goes on…

My question is : how can i find out what triggers such behaviour and how can i prevent it?

LE : my ip route result :

default via 172.31.1.1 dev eth0 proto dhcp metric 100
49.x.x.x dev eth0 proto kernel scope link src 49.x.x.x metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.31.1.1 dev eth0 proto dhcp scope link metric 100
172.255.0.0/24 dev br-632ed70d0651 proto kernel scope link src 172.255.0.1
172.255.1.0/24 dev br-0d6c24afff89 proto kernel scope link src 172.255.1.1

My answer:


Don’t try to route private IP addresses to the Internet. If that network is used by your Docker containers, make sure Docker is up and the virtual network was created correctly.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.