

Ask HN: Unknown IPs visiting my mock web app. Should I be worried? - S4M

I am renting a VM at Digital Ocean to make a small web app. Nothing is ready yet and I have only given the link to some friends, and today while checking my log I saw something like:<p><pre><code>    INFO:werkzeug:186.237.38.73 - - [14&#x2F;May&#x2F;2014 01:14:17] &quot;GET &#x2F;webman&#x2F;info.cgi?host=HTTP&#x2F;1.0&quot; 404 -
    INFO:werkzeug:125.108.128.98 - - [14&#x2F;May&#x2F;2014 08:48:10] &quot;GET &#x2F;webman&#x2F;info.cgi?host= HTTP&#x2F;1.0&quot; 404 -
    INFO:werkzeug:198.20.70.114 - - [14&#x2F;May&#x2F;2014 09:42:07] &quot;GET &#x2F; HTTP&#x2F;1.1&quot; 200 -
    INFO:werkzeug:198.20.70.114 - - [14&#x2F;May&#x2F;2014 09:42:07] &quot;GET &#x2F;robots.txt HTTP&#x2F;1.1&quot; 404 -
    </code></pre>
Those IPs seem to be from Brazil, which is not from where I or the friends I gave my link are from. I suspect they are people trying to see if my VM is hackable, but I don&#x27;t have the technical knowledge to see exactly what they want and how I can prevent them to take control of my VM. For example, do I need to set up robots.txt or webman&#x2F;info.cgi?host= ?
======
theonewolf
Hi, it is more than likely hackers attempting to exploit your system.

This looks like probably an automated bot scanning your server.

The best suggestion? Don't expose non-production-ready web apps to the
Internet.

Use port-forwarding via ssh to selectively expose things.

If you haven't already, also immediately turn on your firewall in the VM (make
sure port 22 is open for ssh).

~~~
theonewolf
One more thought: check /var/log/auth.log

You will probably see lots of attempts of logging into your system by bad guys
(bots).

I often even change my ssh port to something like 2424 and get rid of
practically all scanning bots.

~~~
S4M
Thanks for the suggestions. Yes, I checked /var/log/auth.log and I saw some
strange IPs trying to ssh as root. Good idea to change the ssh port.

------
mclemme
[https://isc.sans.edu/forums/diary/Port+5000+traffic+and+snor...](https://isc.sans.edu/forums/diary/Port+5000+traffic+and+snort+signature/17771)

Anything you put on a public IP address is going to get scanned pretty
regularly by all sorts of bots/worms/etc.

