Computing staff regularly run scans of the Informatics network as part of the management and security of the network. Scanning allow the identification of vulnerabilities with web applications, unpatched software and configuration weaknesses, all of which can pose a significant threat to network security. All self-managed machines connected to the Informatics networks are subject to the self-managed machines policy.
It is normal for scans to be reported in system logs and some scans should generate alerts in correctly configured firewalls including fail2ban. Persistent failed password logins (without any successful, legitimate logins) from University address ranges are not part of scanning, and you should report this.
Our current addresses used for regular internal scanning are:
- 129.215.202.111
- 129.215.212.72
- 129.215.33.80
- 2001:630:3c1:202:216:3eff:fe0b:f90e
- 2001:630:3c1:212:ca5a:cfff:fe03:565a
- 2001:630:3c1:33:216:3eff:fedc:73ba
Other addresses may be used on an ad hoc basis.
If you are running an externally exposed service, unwanted probing and scanning of your service is a fact of life. Even if you do not advertise your service, it will be found by security researchers and miscreants. Many organisations scan our networks such as JISC, NCSC, ShadowServer, Shodan and many more that are unidentified. Some of these only share their data privately, but as an example, Shodan enables anyone to search for public services.