Starting with the launch of the IP2Proxy Proxy Detection PX9 database, the threat field data was added. This threat field contains the type of threat posed by the IP address. One of the possible threat classifications is the SCANNER threat type.
What is the SCANNER threat type?
As the word suggests, the threat posed by that IP address (a.k.a. scanner IP address) stems from the network or server scanning activity originating from that IP. Security scanning or network scanning is a form of penetration testing done by security researchers or hackers using a tool such as Nmap.
The goal of such testing is to determine if there is any unsecured network port which could be compromised in a hacking attack. It can also be used to determine if an outdated program is running on that server. For example, an outdated version of the Apache web server will contain unpatched bugs or vulnerabilities which can manipulated to steal data or infect the system with malware.
How to mitigate scanning threats?
Usually, the person or organization doing the scanning will attempt to determine which network ports are open to the public. They will attempt to connect to a range of ports and see if they get any response when they transmit some data to the targeted ports. If there is any form of response, they’ll know there is a program or service listening in on that port.
When the port is one that is commonly associated with a particular service such as mail server or web server, then the next step would be to determine the version of such services running. With that info, the list of vulnerabilities for that particular version can be compromised for malicious purposes.
The easiest way to mitigate such threats would be to shutdown any unused services and protect the ports with a firewall. In addition, the server administrator should also keep the operating system and other services fully patched at all times.
What about my active services?
If you are providing services such as mail server or web server, then you don’t have the option to shut them down. But there is another protective measure you can employ, which is to screen the incoming connection’s IP address against the IP2Proxy PX9 database. When you see the threat type is SCANNER, you can choose to block or drop the connection immediately.
The benefit of using the IP2Proxy PX9 database is that normal users will still be able to access your running services. Only those IP addresses that are marked as SCANNER will be denied access.
There are people who are trying to penetrate servers on a daily basis. As a server administrator, it would be foolish to think that you won’t be next on their hit list. Incorporating the IP2Proxy PX9 database as part of your day-to-day security measures will ease your worry and keep your server safe.