Hi, I would like to know if you experienced similar issues and how I should avoid this in the future. All of the “portscan proofs” look like normal NTP traffic to me:

##########################################################################

Portscan detected from host 94.130.49.186

##########################################################################
time protocol src_ip src_port dest_ip dest_port

Mon Feb 24 18:56:17 2020 UDP 94.130.49.186 123 => 111.18.98.52 20848
Mon Feb 24 18:56:16 2020 UDP 94.130.49.186 123 => 120.243.113.73 19483
Mon Feb 24 18:56:16 2020 UDP 94.130.49.186 123 => 223.73.206.69 11954
Mon Feb 24 18:56:16 2020 UDP 94.130.49.186 123 => 223.90.110.125 48258
Mon Feb 24 18:56:16 2020 UDP 94.130.49.186 123 => 223.88.211.90 11984

Yeah got a Portscan report too for one of my servers.
Same date, same time.

Told them that this is a public ntp server which is located in the ntppool porject.

They suggestet me to block port 123 to prevent amplifications attacks…

Yikes, those are really non-sensical responses.

At last I told them that this server is part of ntppool project, and we have latest software (chrony) & sufficient protection against amplification attacks. They unblocked my server immediately