System + setup
I am running a Jupyter notebook on a virtual private server (VPS) Ubuntu 18.04.
The dockerfile is Jupyter Notebook Deep Learning Stack.
The OS version:
cat /proc/version Linux version 4.15.0-62-generic (buildd@lcy01-amd64-024) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #69-Ubuntu SMP Wed Sep 4 20:55:53 UTC 2019
I am not an expert in Linux (although I like it), or networking, so I have tried to take reasonable security precautions:
- I connect to my VPS through SSH on port 22. It uses public/private encryption key, rather than a password.
- I start the notebook dockerfile in a terminal from SSH, which generates an encryption key, rather than a password (which is a different key each time the command is run).
- I access the notebook through the web, through port 8888. This is over HTTP rather than HTTPS (should I worry about this?).
When I leave the notebook running, I get lots of attempted connections in the terminal log, none of which are from me:
[W 23:45:14.145 NotebookApp] 405 CONNECT check.best-proxies.ru:80 (184.108.40.206) 2.09ms referer=None [I 02:28:27.195 NotebookApp] 302 GET / (220.127.116.11) 1.31ms [I 03:18:18.132 NotebookApp] 302 GET / (18.104.22.168) 1.67ms [W 03:45:37.157 NotebookApp] 403 POST http://check.best-proxies.ru/azenv.php?s=156895113717804PC238846785208888 (22.214.171.124): '_xsrf' argument missing from POST [W 03:45:37.158 NotebookApp] 403 POST http://check.best-proxies.ru/azenv.php?s=156895113717804PC238846785208888 (126.96.36.199) 1.82ms referer=https://best-proxies.ru/ [I 03:45:37.159 NotebookApp] Malformed HTTP message from 188.8.131.52: Malformed HTTP request line [W 03:45:42.330 NotebookApp] 405 CONNECT check.best-proxies.ru:80 (184.108.40.206) 2.28ms referer=None [I 06:29:38.905 NotebookApp] 302 GET / (220.127.116.11) 0.85ms [I 06:44:54.086 NotebookApp] 302 GET / (18.104.22.168) 0.95ms [I 06:44:54.802 NotebookApp] 302 GET /tree (22.214.171.124) 1.45ms [W 07:39:24.302 NotebookApp] 403 POST http://check.best-proxies.ru/azenv.php?s=156896516435819PC238846785208888 (126.96.36.199): '_xsrf' argument missing from POST [W 07:39:24.305 NotebookApp] 403 POST http://check.best-proxies.ru/azenv.php?s=156896516435819PC238846785208888 (188.8.131.52) 4.45ms referer=https://best-proxies.ru/ [I 07:39:24.306 NotebookApp] Malformed HTTP message from 184.108.40.206: Malformed HTTP request line [W 07:39:29.102 NotebookApp] 405 CONNECT check.best-proxies.ru:80 (220.127.116.11) 1.42ms referer=None
I looked at the Jupyter notebook documentation and searched the web to interpret these logs.
Request ports and methods
GET, POST and CONNECT appear to be HTTP request methods. The requests either state port 80 or no port.
I have run from another device:
sudo nmap -sT -p- <my.vps.ip.address>.
Which informs me that the only open ports are the desired ones (22 SSH, 8787 rstudio, 8888 jupyter).
The three digit codes look like HTTP status codes (e.g. 403). I searched the Jupyter documentation for each code, and it only seems to explicitly refer to 403:
“By default, requests get a 403 forbidden response if the ‘Host’ header shows that the browser thinks it’s on a non-local domain. Setting this option to True disables this check.”
Codes 405 and 302 are not mentioned, although in general as HTTP codes they appear to refer to “Method not allowed” and “Moved temporarily”, respectively.
My interpretation of all this
So, after all this, I am inclined to interpret the results as:
- A random internet port scanner found port an open port.
- A number of connection attempts were made.
- These attempts were unsuccessful. There is nothing to worry about and no need to change any security settings.
Would this be a reasonable interpretation of these logs?