Michael, On Mon, 25 Nov 2002 10:17:49 PST Michael Bacon wrote:
> I'm using port sentry on my LRP box. The otherday it blocked someone > attempting to access port 1080 (not used), then port 25(redirect to our mail > server). He came back the next day and tried port 25 again, but he was > still blocked by the firewall rules. Sounds like it might be a spammer looking for open relays. The socks (port 1080) request was probably an attempt to find a mis-configured socks proxy that allows public access and is allowed to relay mail through mail servers on the same network. Other types of mis-configured proxies can be used too, and it's common to see network sweeps for ports 80, 1080, 8000, 8080 and 25 all from the same host. Enough digging on the security focus or other security or incidents lists should turn up more information about the techniques used and may even help you find out which scanning tool was used in this incident. All that said, if you aren't running mis-configured proxies, your mail server isn't an open relay, and your firewall is configured properly, you shouldn't have anything to worry about. If in doubt (and you have lots of spare time :), you could always scan your mail server logs for abnormalities. > I thought I read somewhere there is a way to capture via tcpdump some of the > packet information and write it to a file or syslog when a packet is > dropped. Is this possible? Can someone point me in a direction for > research? > > I'm feeling uneasy that I don't know what this person was/is attempting. I don't know how to use tcpdump in the way you describe, but snort is typically used for capturing suspicious packets. If you are really curious and have the extra hardware, it might be easier to setup a snort box on a hub outside your firewall. If you do setup snort outside the firewall, it would be a good idea to run snort on an interface without an address or take other measures to make it difficult to attack. --Brad ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
