I've just installed an out of the box Ubuntu 24.04 LTS box. I've set the iptables OUTPUT chain to log (and drop) suspicious activity. I've noticed some.
I look up the ip's on AbuseIPDB, and get the following report:
Ip Address: 103.203.57.21
{
"data": {
"abuseConfidenceScore": 100,
"countryCode": "CN",
"domain": "ipip.net",
"hostnames": [
"scan-57-21.security.ipip.net"
],
"ipAddress": "103.203.57.21",
"ipVersion": 4,
"isPublic": true,
"isTor": false,
"isWhitelisted": false,
"isp": "Beijing Tiantexin Tech. Co. Ltd.",
"lastReportedAt": "2024-10-07T10:04:10+00:00",
"numDistinctUsers": 60,
"totalReports": 3564,
"usageType": "Data Center/Web Hosting/Transit"
}
}
There are lots more from LT, CN, GP, and DE. They seem to be hitting ports 22, 80, and 443.
There is no corresponding traffic on INPUT, so obviously, these OUTPUT requests are internally generated.
Obviously, these are security issues. How do I resolve them? Has someone else seen this?
Bookmarks