bor icon indicating copy to clipboard operation
bor copied to clipboard
verified publisher icon maticnetwork

Port scanning Bor v 2.5.2

Open Skryabin-P opened this issue 1 month ago • 4 comments

Hello! I don't know if it is related to a Bor v 2.5.2 I have updated to this version yesterday evening and today Hetzner blocked my server due to port scanning

#############################################################################

Netscan detected from host ******

#############################################################################

TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT

2025-11-27 15:21:26 ********* 30303 -> 10.47.99.250 12000 133 UDP 2025-11-27 15:24:38 ********* 30303 -> 172.16.0.12 30303 133 UDP 2025-11-27 15:22:46 ************ 30303 -> 212.192.16.3 30303 176 UDP 2025-11-27 15:22:47 *************** 30303 -> 212.192.16.3 30303 146 UDP 2025-11-27 15:25:32 ************* 30303 -> 212.192.16.4 30304 146 UDP 2025-11-27 15:25:31 ************* 30303 -> 212.192.16.4 30304 176 UDP 2025-11-27 15:24:50 *********** 30303 -> 212.192.16.8 30303 146 UDP 2025-11-27 15:24:49 ************ 30303 -> 212.192.16.8 30303 176 UDP 2025-11-27 15:22:34 *************** 30303 -> 212.192.16.16 30304 176 UDP 2025-11-27 15:22:35 **************** 30303 -> 212.192.16.16 30304 146 UDP 2025-11-27 15:22:34 **************** 30303 -> 212.192.16.16 30304 176 UDP 2025-11-27 15:24:48 ***************** 30303 -> 212.192.16.22 30303 176 UDP 2025-11-27 15:24:02 *************** 30303 -> 212.192.16.22 30303 176 UDP 2025-11-27 15:24:03 ***************** 30303 -> 212.192.16.22 30303 146 UDP

Skryabin-P avatar Nov 27 '25 15:11 Skryabin-P

Do you have more info about which port has been detected as "malicious activity"? Did you change any config?

marcello33 avatar Nov 30 '25 10:11 marcello33

@marcello33 Hello! Thanks for your questions. The Hetzner did blame me in port scanning in a wide IP range on ports 30303 and 30304. Precisely on this subnets 212.192.16.0/24
212.192.17.0/24
212.192.18.0/24
212.192.19.0/24 First of all i checked other server processes and server logs to exсlude the case my server is hacked. I didn't find anything.

Then I did block this range in Iptables and switch Bor to previous 2.5.1 version and decrease number of peers and number of pending peers to 300 and 30, before it was 500 and 100 respectively, after that they unblocked me.

My guess is that the Bor started to actively searching for a new peers and for the Hetzner it looked like port scanning. Actually it is the first time that i had a problem with this. May be it is a coincidence , but it happened 12 hours after I had upgraded to 2.5.2.

My current Bor configuration

` bor: image: "0xpolygon/bor:2.5.1" container_name: bor restart: unless-stopped depends_on: - heimdall-v2 networks: - polygon-network volumes: - "/mnt/polygon-data:/bor-home:rw" ports: - "127.0.0.1:8545:8545" # HTTP RPC - "127.0.0.1:8546:8546" # WebSocket - "30303:30303" # P2P TCP - "30303:30303/udp" # P2P UDP - "127.0.0.1:6060:6060" # Metrics command: > server --chain=mainnet --discovery.dns=enrtree://AKUEZKN7PSKVNR65FZDHECMKOJQSGPARGTPPBI7WS2VUL4EGR6XPC@pos.polygon-peers.io --datadir=/bor-home --syncmode=full --http --http.addr=0.0.0.0 --http.port=8545 --http.vhosts=* --http.corsdomain=* --http.api=eth,net,web3,txpool,bor,debug,admin --http.ep-size=500 --http.ep-requesttimeout=30s

  --ws
  --ws.addr=0.0.0.0
  --ws.port=8546
  --ws.origins=*
  --ws.api=eth,net,web3,txpool,bor,debug,admin
  --ws.ep-size=500                      
  --ws.ep-requesttimeout=30s

  --bor.heimdall=http://heimdall-v2:1317
  --maxpeers=300
  --maxpendpeers=30
  --port=30303
  --txarrivalwait=0ms
  --bootnodes=enode://e4fb013061eba9a2c6fb0a41bbd4149f4808f0fb7e88ec55d7163f19a6f02d64d0ce5ecc81528b769ba552a7068057432d44ab5e9e42842aff5b4709aa2c3f3b@34.89.75.187:30303,enode://a0bc4dd2b59370d5a375a7ef9ac06cf531571005ae8b2ead2e9aaeb8205168919b169451fb0ef7061e0d80592e6ed0720f559bd1be1c4efb6e6c4381f1bdb986@35.246.99.203:30303,enode://72c3176693f7100dfedc8a37909120fea16971260a5d95ceff49affbc0e23968c35655fee75734736f0b038147645e8ceeee59af68859b3f5bf91fe249be6259@35.246.95.65:30303,enode://f5cfe35f47ed928d5403aa28ee616fd64ed7daa527b5ae6a7bc412ca25eaad9b6bf2f776144fd9f8e7e9c80b5360a9c03b67f1d47ea88767def7d391cc7e0cd1@34.105.180.11:30303,enode://fc7624241515f9d5e599a396362c29de92b13a048ad361c90dd72286aa4cca835ba65e140a46ace70cc4dcb18472a476963750b3b69d958c5f546d48675880a8@34.147.169.102:30303,enode://198896e373735ba38a0313d073137a413787ece791fbc0d0be0f9f6b9d9dd00ee0841f46519904d666d7f1cdfce5532b093e3a1574b34eb64224f57b9b7fce7b@34.89.55.74:30303

  --cache=32768
  --cache.gc=25
  --cache.database=35                   
  --cache.trie=35                       
  --cache.snapshot=10                   
  --cache.noprefetch=false              
  --cache.triesinmemory=4096
  --txlookuplimit=0
  --rpc.txfeecap=0
  --rpc.gascap=0
  --rpc.returndatalimit=0
  --rpc.evmtimeout=30s
  --txpool.globalslots=10000
  --txpool.globalqueue=10000
  --txpool.accountslots=16
  --txpool.accountqueue=64
  --txpool.lifetime=0h10m0s
  --txpool.nolocals=false
  --txpool.pricebump=10
  --rpc.batchlimit=500
  --parallelevm.enable=true
  --parallelevm.procs=32
  --txannouncementonly=false
  
  --metrics
  --metrics.prometheus-addr=0.0.0.0:6060
  
  --verbosity=3
  

  --snapshot=true
  --bor.logs=false
  
  --ipcpath=/bor-home/bor.ipc`

Skryabin-P avatar Nov 30 '25 15:11 Skryabin-P

Yeah, maybe it was just peering.

marcello33 avatar Nov 30 '25 15:11 marcello33

This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Dec 15 '25 00:12 github-actions[bot]