-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Ford wrote: > Any tips regarding spotting genuine attacks on a Bering UClib box, rather > than 'noise'? Are there any 'dead giveaway' ports or IP addresses? > > Jim Ford
Jim, That's hard to answer because the pattern changes over time. What I have noticed is an IP address range scan. An "attacker" will look for say port 21 being open on any IP addresses in say the 10.1.1.0 network. There may be a new security risk for a ftp daemon. The attacker is searching for any ftp services with that vulnerability. If the attacker finds an IP address with the desired service open, then the service on the port may be tested for the known issue. If found, then the attack may begin. The kind of attack depends on the way the exploit has to be executed. Note that your ISP may be scanning selected ports so a single port test may not be an "attack" at all. Your ISP may need to resolve performance problems based on a service that some one is running. Hence, they would range scan all of their IP addresses looking for an open service. If someone is interested in your box, then you might see your logs full of input DENY messages for most of the common ports with services. Typically the ports are opened in sequential order and they are opened by the same source IP address. nmap is a tool used for these kinds of tests. There's a nice article that explains how nmap is used in the current linux pro magazine http://www.linux-magazine.com/issue/62 . The same information is found on the site used to maintain nmap http://www.insecure.org/ . Once again this may not be an attack but it is nice to know that all the doors are locked. Based on this, you have to watch your logs and get a feel for the current activity to find the "dead giveaway ports." A serious attacker will spoof the source IP address used in the scan or actual attack. So you won't find any joy there either. Greg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDmSl9xyxe5L6mr7IRApnaAJ987V59OGMJB9YuckFHWSk2Jmi8GQCeLSZs /m+ElBydKvytbR9aPLZ8IIA= =U3Jp -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
