>1) All tested ports show up as Stealth, ie they don't respond when a >connection attempt is made from outside... Except Port 5000 (UPnP) >which shows up as closed. What is UPnP? Why does this port respond? >Not a big deal, but it does show outsiders that my address has a >machine >behind it.
One would assume UPnP stands for universal plug and play (I know that MS has vulnerabilities in windows XP and other versions that have certain patches applied). Possibly thats why it is being scanned. I'm not sure why it isn't stealthed - but as long as it is closed you should be fine (unless for some reason it is being forwarded to an internal machine that selectivly opens/closes the port depending on what is running). >2) My port 53 is getting whacked hard for 10-20 seconds once or twice a >day from the same group of IP's. Anyone know what this might be? >Trying to find a bind vulnerability? Should I bother tracking down the >IP's? If you're getting hundreds of hits in a few seconds it is because there is some company out there manufacturing products that use port 53 for load balancing (stupid I know). This started being an issue last year actually. It is generally caused by popups and banners. It can fill your logs so you should silently deny this stuff. >3) I also notice occasional random inbound attempts from 192.168.x.x >and >10.x.x.x. Shouldn't my ISP be preventing this sort of thing? If someone on your subnet is doing it and its not going thru a router then there is nothing they can do. It'll really become an issue if they install DHCP on their external interface (when I worked at an ISP lots of customers would install internet connection sharing incorrectly and start server 192.168 IPs). HTH S _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
