Hey folks, I own a website and recently dealt with a minor DDoS attack that took my server down for a few days. To manage it, I had to GeoIP ban entire countries which really helped, though it might not be the best long-term solution. Since then, I've been keeping an eye on my firewall logs for suspicious activity. Over the past couple of weeks, I've noticed a lot of probing attempts on port 42906 from various IP addresses, multiple times a minute. I've blocked this port on my firewall, but the probing keeps happening. I tried to look into what uses port 42906, but the information only indicates it's part of the ephemeral port range. I also see some TCP connections and a few UDP attempts as well. Any idea why there's so much happening on this particular port? My hardware firewall prevents these connections from reaching my actual server, so that port isn't open there either.
2 Answers
You might want to check if anything is actually listening on port 42906. If you're on a Linux setup, you can run `netstat -tap | grep 42906` or `lsof | grep 42906` to see if there's any process tied to that port. You could also try connecting to it with `nmap -p 42906 yourserverip` to verify if it's open or responding. That might give you a clearer picture of what's going on.
If you're serious about security, consider getting a web application firewall (WAF) service. It lets you manage traffic with easier whitelisting and blacklisting. It's particularly effective against various kinds of attacks and can alert you to suspicious activity. I had a similar experience and it saved me tons of hassle. Plus, they can help with zero-day exploits too.
I know Cloudflare offers this and I'm currently using their free plan. I read that you need to upgrade for the WAF features. My firewall is pfSense, which has been great, especially after using GeoIP blocking during my DDoS issue; it really stopped the flood of connections.
I already checked all my servers and there's nothing open on that port, so I’m not sure what’s triggering the probes.