Somebody's scanning my ports or what?
Hi all: To continue my new Linux user paranoia, I have just noticed in xconsole that someone's been trying to connect to every port from port 2 thru 1024. It looks like this: Apr 27 20:03:09 main tcplogd: tcpmux connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 2 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 3 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 4 connection attempt from [EMAIL PROTECTED] [206.47.37.4] ... ... Apr 27 20:08:13 main tcplogd: port 1024 connection attempt from [EMAIL PROTECTED] [206.47.37.4] This one was the last. Bellglobal is my ISP provider, and I'm connected via ADSL modem. In between these messages sometimes there are the following (I guess that's when existing service was found): Apr 27 20:03:46 main in.telnetd[7141]: connect from cpu.adsl.bellglobal.com Apr 27 20:04:34 main in.ftpd[7145]: connect from cpu.adsl.bellglobal.com Is this within frames of acceptable. I feel like complaining, but don't want to look like an idiot. :) Any comments highly appreciated! -- Arcady Genkin I opened up my wallet, and it's full of blood... - GsYDE
Re: Somebody's scanning my ports or what?
In foo.debian-user, you wrote: Hi all: To continue my new Linux user paranoia, I have just noticed in xconsole that someone's been trying to connect to every port from port 2 thru 1024. It looks like this: Apr 27 20:03:09 main tcplogd: tcpmux connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 2 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 3 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 4 connection attempt from [EMAIL PROTECTED] [206.47.37.4] ... ... Apr 27 20:08:13 main tcplogd: port 1024 connection attempt from [EMAIL PROTECTED] [206.47.37.4] This one was the last. Bellglobal is my ISP provider, and I'm connected via ADSL modem. In between these messages sometimes there are the following (I guess that's when existing service was found): Apr 27 20:03:46 main in.telnetd[7141]: connect from cpu.adsl.bellglobal.com Apr 27 20:04:34 main in.ftpd[7145]: connect from cpu.adsl.bellglobal.com Is this within frames of acceptable. I feel like complaining, but don't want to look like an idiot. :) Any comments highly appreciated! This is not acceptable. This is analogous to some stranger on the street coming up and feeling your crotch. I suggest you contact bellglobal and complain. If that does not work, learn proper counter-measures. -Mitch
Re: Somebody's scanning my ports or what?
im getting this kind of things about 2 or 3 times a week... with some netbus and bo try. i sent lot of emails to their isp but still receive 2 or 3 attack per week from other ips... what should i do?, is there a way to protect me against this? currently i have fakebo. Benoit Joly On 27 Apr 1999, Arcady Genkin wrote: Hi all: To continue my new Linux user paranoia, I have just noticed in xconsole that someone's been trying to connect to every port from port 2 thru 1024. It looks like this: Apr 27 20:03:09 main tcplogd: tcpmux connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 2 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 3 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 4 connection attempt from [EMAIL PROTECTED] [206.47.37.4] ... ... Apr 27 20:08:13 main tcplogd: port 1024 connection attempt from [EMAIL PROTECTED] [206.47.37.4] This one was the last. Bellglobal is my ISP provider, and I'm connected via ADSL modem. In between these messages sometimes there are the following (I guess that's when existing service was found): Apr 27 20:03:46 main in.telnetd[7141]: connect from cpu.adsl.bellglobal.com Apr 27 20:04:34 main in.ftpd[7145]: connect from cpu.adsl.bellglobal.com Is this within frames of acceptable. I feel like complaining, but don't want to look like an idiot. :) Any comments highly appreciated! -- Arcady Genkin I opened up my wallet, and it's full of blood... - GsYDE -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Somebody's scanning my ports or what?
hi, i wantt to thanks you for this bunch of usefull things :) i just found a free tool to minimize attack on a linux box... logchecker, portsentry which deny automaticly suspected host, hostsentry for watching login access... http://www.psionic.com/abacus/ seems to be nice. Benoit Joly On Tue, 27 Apr 1999, George Bonser wrote: On Tue, 27 Apr 1999, Benoit.Joly wrote: im getting this kind of things about 2 or 3 times a week... with some netbus and bo try. i sent lot of emails to their isp but still receive 2 or 3 attack per week from other ips... what should i do?, is there a way to protect me against this? currently i have fakebo. Benoit Joly You can not prevent your system from being scanned, all you can do is control what is learned from the scan. It is not a crime, as far as I know, to simply attempt connections to a machine on the public internet. First thing I would do is only have ONE machine exposed directly to the internet. Use this machine as a firewall/gateway for all the other machines. Turn off all services on this machine that you are not using. Carefuly plan and put into place a set of packet forwarding / masquerading rules for traffic between your internal protected network and the public internet. For services that you wish to provide to outside hosts, make a separate network different from the internal network. This is commonly called a DMZ in network documents. So your internet firewall / gateway will probably have THREE interfaces if you wish to provide public access to some services: 1. The interface to the external internet. 2. The interface to the private local network. 3. The interface to the internal network with public services (www, ftp, mail, news, etc.) The whole world can access certain ports in your public access net ( 80, 21, 23, 25, 119, etc) Nobody in the outside world has direct access to your internal net. Nobody on the public access net has access to your internal net and your internal net has access to everything. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Somebody's scanning my ports or what?
im getting this kind of things about 2 or 3 times a week... with some netbus and bo try. i sent lot of emails to their isp but still receive 2 or 3 attack per week from other ips... what should i do?, is there a way to protect me against this? currently i have fakebo. Benoit Joly You can not prevent your system from being scanned, all you can do is control what is learned from the scan. It is not a crime, as far as I know, to simply attempt connections to a machine on the public internet. We (as a ISP) do report portscans to the provider of the scanner. And almost always we get the reply that the scanner has been warned or someting similar. A portscan can only be used for criminal actions, so providers do see is as a crime. Groetjes, Ookhoi First thing I would do is only have ONE machine exposed directly to the internet. Use this machine as a firewall/gateway for all the other machines. Turn off all services on this machine that you are not using. Carefuly plan and put into place a set of packet forwarding / masquerading rules for traffic between your internal protected network and the public internet. For services that you wish to provide to outside hosts, make a separate network different from the internal network. This is commonly called a DMZ in network documents. So your internet firewall / gateway will probably have THREE interfaces if you wish to provide public access to some services: 1. The interface to the external internet. 2. The interface to the private local network. 3. The interface to the internal network with public services (www, ftp, mail, news, etc.) The whole world can access certain ports in your public access net ( 80, 21, 23, 25, 119, etc) Nobody in the outside world has direct access to your internal net. Nobody on the public access net has access to your internal net and your internal net has access to everything.
Re: Somebody's scanning my ports or what?
Why don't you use ipfwadm?? I got almost the same problem... Type man ipfwadm Regards, Anderson At 21:38 27/04/99 -0400, Benoit.Joly wrote: im getting this kind of things about 2 or 3 times a week... with some netbus and bo try. i sent lot of emails to their isp but still receive 2 or 3 attack per week from other ips... what should i do?, is there a way to protect me against this? currently i have fakebo. Benoit Joly On 27 Apr 1999, Arcady Genkin wrote: Hi all: To continue my new Linux user paranoia, I have just noticed in xconsole that someone's been trying to connect to every port from port 2 thru 1024. It looks like this: Apr 27 20:03:09 main tcplogd: tcpmux connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 2 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 3 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 4 connection attempt from [EMAIL PROTECTED] [206.47.37.4] ... ... Apr 27 20:08:13 main tcplogd: port 1024 connection attempt from [EMAIL PROTECTED] [206.47.37.4] This one was the last. Bellglobal is my ISP provider, and I'm connected via ADSL modem. In between these messages sometimes there are the following (I guess that's when existing service was found): Apr 27 20:03:46 main in.telnetd[7141]: connect from cpu.adsl.bellglobal.com Apr 27 20:04:34 main in.ftpd[7145]: connect from cpu.adsl.bellglobal.com Is this within frames of acceptable. I feel like complaining, but don't want to look like an idiot. :) Any comments highly appreciated! -- Arcady Genkin I opened up my wallet, and it's full of blood... - GsYDE -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Somebody's scanning my ports or what? REVISITED
Arcady Genkin [EMAIL PROTECTED] writes: I've checked my logs and discovered that exactly the same thing happened exactly a week ago at the same hour. The same IP too. The regularity for me implies that it could be a routine my ISP is running weekly. Also, the IP is in my ISP's domain. Is that practice accepted anywhere else, or is it just my ISP's invention (assuming I'm correct to say that it *is* the ISP and not some CrAcKeR dUdE)? FWIW I've posted enire extracts from the logs of April 27 and April 20 at http://www3.sympatico.ca/genkin/daemon.log I've also complained to [EMAIL PROTECTED] Thanks for any input. To continue my new Linux user paranoia, I have just noticed in xconsole that someone's been trying to connect to every port from port 2 thru 1024. It looks like this: Apr 27 20:03:09 main tcplogd: tcpmux connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 2 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 3 connection attempt from [EMAIL PROTECTED] [206.47.37.4] Apr 27 20:03:09 main tcplogd: port 4 connection attempt from [EMAIL PROTECTED] [206.47.37.4] ... ... Apr 27 20:08:13 main tcplogd: port 1024 connection attempt from [EMAIL PROTECTED] [206.47.37.4] -- Arcady Genkin I opened up my wallet, and it's full of blood... - GsYDE