Re: scanning my ports
-BEGIN PGP SIGNED MESSAGE- On Fri, 24 Sep 1999, John Lapeyre wrote: : Dear Security Staff: :I received 2086 connection attempts at several ports on September 22. : The attempts were made from IP address pavlov.midco.net [24.220.0.13] : The machine whose ports were scanned is 128.196.189.45 . : Please make sure that this port scanning does not happen again. : : Here are the first and last connection attempts : : Sep 22 02:01:23 homey tcplogd: auth connection attempt from pavlov.midco.net [24.220.0.13] : Sep 22 21:20:18 homey tcplogd: port 24011 connection attempt from pavlov.midco.net [24.220.0.13] : : Thanks for your cooperation. Mr. Lapeyre, You do realise that pavlov.midco.net is part of the DNS rotation http.us.debian.org? [EMAIL PROTECTED]:~ $ host pavlov.midco.net pavlov.midco.netA 24.220.0.13 ^^^ [EMAIL PROTECTED]:~ $ host http.us.debian.org http.us.debian.org A 206.187.92.15 http.us.debian.org A 207.69.194.216 http.us.debian.org A 209.249.97.234 http.us.debian.org A 141.213.4.21 http.us.debian.org A 24.220.0.13 ^^^ I see no evidence in the logs that you are being port scanned - I feel it's more likely that your use of the mirror here is at issue. You may of course disagree. Nevertheless, I will shut down the mirror here and rebuild this machine from scratch, implementing draconian and paranoid security measures. If I receive further complaints of "abuse" from Debian project participants, I will be forced to remove the mirror entirely. Complaints to "[EMAIL PROTECTED]" are viewed by members of the management team as well as members of the technical staff, and I regret to inform you that one of the members of the management team has reacted to your complaint in an abusive and non-productive manner that will certainly impact our ability to help Debian in the future. I regret the "shoot the messenger" tone of this email; understandably security is important and potential abuses should be dealt with swiftly and forcefully, given the state of the Internet today. Nevertheless, common sense can and should be exercised whenever possible. I reiterate that today I remove "pavlov.midco.net" from the mirror rotation "http.us.debian.org". HTTP, FTP, and RSYNC access to this machine will be turned off upon completion of this email. The machine will be shut down and rebuilt from scratch. Mirror services *may* be restored at that point, if I can convince management that the benefits of hosting a mirror outweigh the liabilities. Sincerely, - -- Nathan Norman - Network Specialistmailto:[EMAIL PROTECTED] High Speed Internet Accesshttp://www.midco.net finger [EMAIL PROTECTED] for PGP Key ID: (0xA33B86E9) -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBN+0ovAXl8N+jO4bpAQGTmQP9Eyff8etuyzQkYx3kKry2QJTlpP5KGTj4 hiIkViV2d3T6rOJ1paeESYjMrzycNLBBdqSNMvmnBYMzSC3fY9ykdNBSC/wUEBfq Q4oCG+OYOovDJDQXxurDj0/HgZzoIGPt8lx3ODDox34jris/hhu3qruE9RlHcT13 0sgwXKTBcp8= =fgR7 -END PGP SIGNATURE-
Re: scanning my ports
*Nathan E Norman wrote: > Mr. Lapeyre, > > You do realise that pavlov.midco.net is part of the DNS rotation > http.us.debian.org? No, I didn't. I was using the mirror. I am in error. Obviously the connections to several ports on my machine were a legitmate part of the transfer of data to my machine. I made the accusations out of ignorance. > I see no evidence in the logs that you are being port scanned - I feel > it's more likely that your use of the mirror here is at issue. You may > of course disagree. No, I agree. The connection attempts in my log were made to transfer data that I requested. > > Nevertheless, I will shut down the mirror here and rebuild this machine > from scratch, implementing draconian and paranoid security measures. Please don't do this. I don't see any need to do this. > > If I receive further complaints of "abuse" from Debian project > participants, I will be forced to remove the mirror entirely. > Complaints to "[EMAIL PROTECTED]" are viewed by members of the > management team as well as members of the technical staff, and I regret > to inform you that one of the members of the management team has reacted > to your complaint in an abusive and non-productive manner that will > certainly impact our ability to help Debian in the future. I feel sorry for this person. > > I regret the "shoot the messenger" tone of this email; understandably > security is important and potential abuses should be dealt with swiftly > and forcefully, given the state of the Internet today. Nevertheless, > common sense can and should be exercised whenever possible. I made a mistake, and made a false accusation. I am very sorry to have wasted the time of your security team. Maybe you can avoid further waste of time, by accepting my retraction of accusations and realizing that now there is no evidence and no accusation of a security problem, and therefore, no reason to take action on a suspected security problem I apologize to the project for throwing a wrench in the mirroring system. -- John Lapeyre <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Tucson,AZ http://www.physics.arizona.edu/~lapeyre pgp2l3B2xdxlN.pgp Description: PGP signature
Re: scanning my ports
In addition to apologies to Mr. Norman, perhaps there's some value in either (1) making tcplogd etc. require enough configuration to force people to read the documentation, or (2) enhance those packages to interpret things a little more, so they scare naive users a bit less?
Re: scanning my ports
On 26 Sep 1999, Mark W. Eichin wrote: : In addition to apologies to Mr. Norman, perhaps there's some value in : either (1) making tcplogd etc. require enough configuration to force : people to read the documentation, or (2) enhance those packages to : interpret things a little more, so they scare naive users a bit less? No apologies necessary. The mirror services have been restored. I apologise for the incendiery tone of my original email; I was pretty upset. Mr. Lapeyre and I have continued to correspond via private mail and I feel we've got everything worked out. An important point to consider in this particualr case: The PTR record for "24.220.0.13" resolves to "pavlov.midco.net" rather than "debian.midco.net" which would certainly be more obvious in most cases. Unfortunately, there are issues with changing the PTR record to a more "correct" value, as the machine has other responsibilities. My co-workers and I are plannig to purchase a new system board, processor and case which along with some hardware donations ( :) ) will become "debian.midco.net", leaving pavlov to his more mundane tasks. This should prove beneficial to both the project and Midcontinent. (If anyone wants to contribute something, let me know. I think we've got it mostly covered.) -- Nathan Norman MidcoNet 410 South Phillips Avenue Sioux Falls, SD mailto:[EMAIL PROTECTED] http://www.midco.net finger [EMAIL PROTECTED] for PGP Key: (0xA33B86E9)
Re: scanning my ports
On 26 Sep 1999, Mark W. Eichin wrote: > In addition to apologies to Mr. Norman, perhaps there's some value in > either (1) making tcplogd etc. require enough configuration to force > people to read the documentation, or (2) enhance those packages to > interpret things a little more, so they scare naive users a bit less? debian-admin gets reports like this on virtually a monthly basis, they response is always that the user is using port mode ftp and that the site is an ftp server. Some of the 'reports' are exeremely angry and irritated - I think the best one was from some admin who had a user who subscribed to a Debian lists, he was incessed that we were 'attacking' his mail server by *gasp* sending it mail! Jason