November 5, 2019Understanding Networks
Run your Linux host for several days, with a firewall in place and a public IP address. Make a table of all the IP addresses that attempt to connect to your host. Compile information about them. Where are they located? What organizations are they associated with, at all? What service providers are providing their IP addresses?
I used my Linux host that I set up with Digital Ocean for this assignment. I followed the instructions here: https://itp.nyu.edu/networks/tutorials/setting-up-a-firewall-on-an-embedded-linux-device/. At first I had trouble seeing any logs of my firewall - turns out I had actually set up a firewall service on digital ocean two months ago and forgot about it. Turning that off on Digital Ocean seemed to do the trick.
I let my firewall run for about 3 to 4 days, but I was only able to do my analysis on 2 days worth of logs since I had trouble downloading the extra files containing past logs.
I used python to analyze each blocked request to my server, and used the ipinfo API to request the identity of the sources of each request.
The API gave information to where the IPs that made requests to my server were located. I organized the requests by country, sorted by how many requests were made from each.
Top 20 Sources of requests to my server
From the US, here were some top companies that made requests:
From the NL, most of the requests were by "IP Volume inc / Incrediserve LTD".
From Russia, most of the requests were from "AS202984 Chernyshov Aleksandr Aleksandrovich" and"AS49505 OOO Network of data-centers Selectel". I'm surprised to see such a personal name in these logs, especially since most are so infrastructurally related.
The API also gave a way to tell what type of business was associated with the servers that tried to connect to me. Of course, "business" is the most popular type of business - I'm interested in seeing what they mean specifically by this.
Top Business Types seen by my server: