5

Every time I start my test-server and let it run for some days I get this in my log-files (in different variations):

111.241.26.165 - - [18/Feb/2014:22:16:45 +0100] "\x04\x01\x00\x19\xCBER!\x00" 400 172 "-" "-" 111.241.26.165 - - [18/Feb/2014:22:16:46 +0100] "\x05\x01\x00" 400 172 "-" "-" 111.241.26.165 - - [18/Feb/2014:22:16:47 +0100] "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0" 400 172 "-" "-"

Some WebApps like gitlab are running through nginx (proxy) with GoogleAuthenticator.
Should I setup IDS/IPS (for that few days) and if yes which one?

Improve this question
1
  • 3
    Note... any web facing server is going to receive hacking attempts
    – cutrightjm
    CommentedFeb 20, 2014 at 6:09

3 Answers 3

Reset to default
15

These are scans for proxy servers. The first one tests for a SOCKS4 proxy, the second one for a SOCKS5 proxy, and the third one tests if your server allows forwarding via a CONNECT request to "valuable" ports (SMTP in this case). You don't have to be worried about that, it's what you expect to see on public servers. Your server answers with return code of 400, so everything is fine.

Improve this answer
0
    3

    If you're worried about security you could use the naxsi module with nginx and catch such attempts a bit more explicitely with rules. I'm pretty happy with it - it's fast and lightweight.

    https://github.com/nbs-system/naxsi

    Improve this answer
      2

      Also, check out Cloudflare, it's free/cheap and a good way to block most of this kind of "Internet noise", i.e. automated mass penetration tests for known vulnerabilities, or just traffic from known malicious IP ranges: www.cloudflare.com

      Improve this answer

        You must log in to answer this question.

        Start asking to get answers

        Find the answer to your question by asking.

        Ask question

        Explore related questions

        See similar questions with these tags.