How much "scanning" is normal?

[bpalob]

Hi guys,

I observe on my firewall log that I am seing permanently random addresses trying to connect to suspicious ports, for instance 22, 23, 2222, 2323, 3389 etc. At some points I get 25 such requests in about 10 minutes of time.

As I believe to have been recently hacked (got an account hijacked), I got rather suspicious.

I am aware that it's normal that we're all exposed over the WAN. But how much is "normal" or acceptabe?

In the meantime I've had my IP changed (my operator left me with the same for about a year now,...), same with the new IP. Also I implemented Geo-Blocking, which works great, at least from what I see in the firewall log.

Trying to run a tight ship now... but wondering whether this is a normal experience or if you'd say nono, you should not see more than 5 a day,... :-)

Thanks.

[Patrick M. Hausen]

The entire IPv4 (legacy) Internet is port scanned 24x7.

[Greg_E]

The entire IPv4 (legacy) Internet is port scanned 24x7.

And by several businesses to try and get money. I have one that scans all the time and offered a free report, so instead of just blocking it, I subscribed to the report. What's interesting is that I see one port that has a service on it listed, but not a second port that I recently opened back up. So something on my system is blocking them after they get the first port. ShadowServer is one of these, check whois for several of the other IP to find out who they are. The good ones will list all IP address ranges that they use so you can block them if you don't like them scanning.

Everything else is from a dirtbag trying to break in.