2026-04-17 No place to hide

I was meaning to use this place to post about non-gemini things, since all niche communities seem to have a tendency to only talk about themselves (see also: Esperantists incessantly bickering about Esperanto instead of discussing world affairs or their favourite coffee blends). But I've been looking at my gemini server logs the past few days, and I discovered I keep getting malformed TLS requests (or non-TLS requests). Even stranger, today I noticed some HTTP requests. Some of them seemed innocent enough, others were clearly looking for vulnerabilities.

So I did some quick lookups at abuseipdb.com and discovered I'm being portscanned by Palo Alto and Infrawatch – companies boasting about their real-time, AI-powered global cyber threat intelligence, or whatever they're calling it. Infrawatch even attempted to make a real gemini request, but failed because they used my server's IP address instead of the domain. Within two seconds, they had made one non-TLS request, one gemini request and two HTTP requests. What I don't get is why they keep returning – my server drops packets on all ports except the ones I use, which will return correct responses. If they wanted to scan my gemini server, a single prod would tell them what it is and that it's operating according to spec. Yet they've kept returning for days (I haven't looked back in my rotated logs to see how far back it goes).

It's not exactly a drain on my gemini server, although I haven't checked how much traffic I'm getting on other ports since they're all closed anyway. But it's rather annoying, so I blocked the port scanners. Palo Alto at least list their IP ranges on their website, so you can whitelist or block them according to preference. Infrawatch don't; they only allow network owners to contact them about ‘opting out’ of being scanned. So I've banned the IPs I've seen so far, with relatively conservative ranges. As for the vulnerability scans, the actor is unknown so again I've blocked a narrow range instead. Hopefully I haven't blocked any legitimate IPs, but it'll be hard to know, won't it.

Why can't the world just leave my little gemini server in peace?

♫ Song of the day: ‘What Do You Want from Me’ by Pink Floyd (on Deezer)

All transmissions

Back to space

Proxied content from gemini://rymden.no/tx/2026-04-17.gmi (external content)

Gemini request details:

Original URL
gemini://rymden.no/tx/2026-04-17.gmi
Status code
Success
Meta
text/gemini; charset=UTF-8; lang=en
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.