I'm sure that this question has been asked before, please don't hesitate to throw stones at me if it has, however, I'm asking it again...
I'm bored, with reading those blitherin' emails all the time - those ones that say someone in the Penag Delta thinks he's a 733t pillock and therefore is busy scanning my ip address range. Now Smoothwall (for the skin flints amongst us) has a nice web based GUI, that summarises the log information and allows you to do reverse lookups etc. Nice and easy for me to see whether my attacked is a "733t" or just another proxy that should be let through...... (we work with the cable companies, they forget to tell us things like that..) Has anyone done anything similar, or infact anything which turns this information storm into a more workable solution...? (Yes we do syslog - I guess the answer is probably a web interface based on that, and bin the emails...?) > -----Original Message----- > From: Michael Agard [mailto:[EMAIL PROTECTED] > Sent: 03 April 2003 15:22 > To: [EMAIL PROTECTED] > Subject: RE: [gb-users] Possible hack attempts on port 3389 > > > Were I to guess, I would say that the increase is almost directly > related to Erik Forsberg's BugTraq posting yesterday regarding the > potential for Man-in-the-middle attacks via MS Terminal Services/RDP. > His group apparently has an unreleased binary which could exploit this > flaw...but a skilled individual who was so inclined would likely have > little problem developing one themselves. > > That having been said, networks which give preferential treatment > (security-wise) to machines that make VPN client connections > would seem > to be marginally more vulnerable, in that VPN client machines > which are > running MS Terminal Server in an unprotected (eg. home LAN on cheap > cable modem) environment pose a large threat. Of course, it's only > natural to give VPN client machines preferential treatment... > > Is there a mechanism in the GTA/Safenet VPN server or client > that allows > one to push a firewall/security policy to the client machine? > > michael w. agard > [manager of global network operations] > [sbi-razorfish] > 212.798.6608 office > 917.213.6981 mobile > 212.966.6915 fax > [EMAIL PROTECTED] > * the price of security is eternal vigilance * > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, April 03, 2003 3:33 AM > To: [EMAIL PROTECTED] > Subject: RE: [gb-users] Possible hack attempts on port 3389 > > Yes, we're finding the same. However as in common with most > folk here we > take the attitude that everything is blocked (in and out) unless > specifically allowed and even then preferably from a vpn or fixed ip > address. > > rgds > > gmcb > > -----Original Message----- > From: Cox, Danny H. > To: [EMAIL PROTECTED] > Sent: 03/04/2003 02:32 > Subject: [gb-users] Possible hack attempts on port 3389 > > There appears to be a rise in hack attempts through port 3389. > > > > In the past 6 hours, I have seen 4 different networks try to > log into my > primary index server through this port. > > > > Over the past year, I have seen about a total of 3 attempts > to gain this > type of access, until now. > > > > For those of you that don't know - This port is used by Microsoft for > Terminal services (think remote desktop). > > > > Here is one of many log entries I have been getting - note the > originating IP address. > > > > EMAIL NO: 3 > > DATE: Wed 2003-04-02 17:05:34 > > PRIORITY: 4 > > INTERFACE: EXT-DSL (xl0) > > INTERFACE TYPE: External > > ALARM TYPE: Block > > IP PACKET: TCP > [61.33.171.233/3988]-->[xxx.xxx.xxx.xxx/3389] l=0 > f=0x2 > > [61.33.171.233/3988]-->[xxx.xxx.xxx.xxx/3389] > > > > I decided to play on a hunch on these and found that every > single one of > these sites had a windows server running TS. > > > > Several of the sites were "home based" small business > networks that had > Linksys and SonicWall firewalls. > > > > I notified the admins of the problem and still keep getting random > attempts. > > > > I have long since shut down these services (at the firewall) here and > plan to take steps to make certain this is not a concern for me. > > > > Danny H. Cox > > Yield Dynamics, Inc. > > (408) 764-9822 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[EMAIL PROTECTED] > > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. > If you are > not > the intended recipient, any disclosure, copying, or > distribution of the > message, or any action or omission taken by you in reliance on it, is > prohibited and may be unlawful. Any views expressed in this > message are > those of the individual sender, except where the sender specifically > states > them to be the views of any organisation or employer. If you have > received > this message in error, do not open any attachment but immediately > contact > the sender, deleting this message from your system. No > responsibility is > accepted by the sender for any damage resulting from any bug or virus > infection. Thank you. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[EMAIL PROTECTED] > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.467 / Virus Database: 266 - Release Date: 01/04/2003 > > Visit our web site @ www.twowaytv.com This e-mail and its attachments are intended for the above named recipient(s) only and may be confidential, legally privileged and protected by law. If you are not a named addressee or have received this transmission in error, please notify us immediately at [EMAIL PROTECTED] and then delete this e-mail. As Internet communications are not secure we do not accept legal responsibility for the contents of this message or responsibility for any change made to this message after the original sender sent it. Save for this legal notice, the contents or opinions contained within this e-mail are solely those of the sender and do not necessarily represent those of Two Way TV Ltd unless otherwise specifically stated. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[EMAIL PROTECTED]
