port scans
in [Firewalls]
|
From: Rick on 23 Feb 2010 20:45 Leythos wrote: > In article<hm0uof$1h0$2(a)news.eternal-september.org>, > rick0.merrill(a)gmail.com.lessspam says... >> So you're saying it is a coincidence and I should "echo off paranoia". >> > > I have 32 IP addresses and a Commercial Grade firewall on our network. > We see about 8000 attempts per day across those IP's - it's almost > always a range of ports they scan from the same IP - the ones I consider > the largest threat are the ones that scan 5-10 ports every day, slowly, > so that they are harder to detect if you're not sure what you're looking > for. > > Do I worry about them - not much, but I have about 60 IP subnets in our > permanent block list (mostly outside the USA). > Have you seen one of these, and what might it mean? 02/21/2010 00:05:40.608 - Notice - Network Access - UDP packet dropped - 192.168.1.70, 5353, X1 - 224.0.0.251, 5353 - UDP Apple Bonjour 02/21/2010 00:06:44.608 - Notice - Network Access - UDP packet dropped - 192.168.1.70, 5353, X1 - 224.0.0.251, 5353 - UDP Apple Bonjour Sam Spade says 224.... is reserved...
From: Moe Trin on 23 Feb 2010 21:55 On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in article <hm0uof$1h0$2(a)news.eternal-september.org>, Rick wrote: >Moe Trin wrote: >> Sorry to disappoint you - but you aren't that important. EVERYONE is >> seeing (and ignoring) this stuff. They really aren't picking on your >> address any more than they're picking on everyone else. >So you're saying it is a coincidence and I should "echo off paranoia". I think that's 'echo 0 > paranoia' but yeah that's about the size of it. >One more thing however, it only took 15 minutes from the first use of >the ftp server before these, let's call 'em probes, started. ONce upon >a time (before sonicwall) they would try a username-password script. Perhaps a coincidence - I mentioned the port 12200 source stuff as being a script - it's just looking for something to respond (when it does, the actual controller box will make a connection and do it's thing). For just looking at an "are you alive" type response, a single computer can test a /8 (a former "Class 'A'") address range in about 17 minutes, all by itself. That limit is set by the 10 MHz bandwidth of the old style Ethernet. If it's on a 100BaseT net, it's about twice as fast. As for the username-password stuff - be glad you aren't running a publicly visible SSH server on port 22. They get pounded trying all kinds of common usernames/passwords. Old guy
From: Moe Trin on 23 Feb 2010 21:56 On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in article <hm20c5$1vd$1(a)news.eternal-september.org>, Rick wrote: >Leythos wrote: >> We see about 8000 attempts per day across those IP's - it's almost >> always a range of ports they scan from the same IP - the ones I >> consider the largest threat are the ones that scan 5-10 ports every >> day, slowly, so that they are harder to detect if you're not sure >> what you're looking for. >> Do I worry about them - not much, but I have about 60 IP subnets in >> our permanent block list (mostly outside the USA). The only service that I offer (SSH) is limited to 3 subnets - 1530 addresses in total. Cuts the noise down substantially. >Have you seen one of these, and what might it mean? >02/21/2010 00:05:40.608 - Notice - Network Access - UDP packet >dropped - 192.168.1.70, 5353, X1 - 224.0.0.251, 5353 - > UDP Apple Bonjour It's telling you - "Apple Bonjour". You've got a Linux box running Avahi, or a Mac. I'm betting on the Linux box, so try 'locate avahi' to find the documentation. >Sam Spade says 224.... is reserved... http://www.iana.org/assignments/multicast-addresses Sam Spade is rather clueless. Old guy
From: Rick on 24 Feb 2010 06:25 Moe Trin wrote: > On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in > article<hm0uof$1h0$2(a)news.eternal-september.org>, Rick wrote: > >> Moe Trin wrote: > >>> Sorry to disappoint you - but you aren't that important. EVERYONE is >>> seeing (and ignoring) this stuff. They really aren't picking on your >>> address any more than they're picking on everyone else. > >> So you're saying it is a coincidence and I should "echo off paranoia". > > I think that's 'echo 0> paranoia' but yeah that's about the size of it. > >> One more thing however, it only took 15 minutes from the first use of >> the ftp server before these, let's call 'em probes, started. ONce upon >> a time (before sonicwall) they would try a username-password script. > > Perhaps a coincidence - I mentioned the port 12200 source stuff as being > a script - it's just looking for something to respond (when it does, > the actual controller box will make a connection and do it's thing). > For just looking at an "are you alive" type response, a single computer > can test a /8 (a former "Class 'A'") address range in about 17 minutes, > all by itself. That limit is set by the 10 MHz bandwidth of the old > style Ethernet. If it's on a 100BaseT net, it's about twice as fast. > > As for the username-password stuff - be glad you aren't running a > publicly visible SSH server on port 22. They get pounded trying all > kinds of common usernames/passwords. > > Old guy So moving to sftp would not help - is that what you're saying?
From: Moe Trin on 24 Feb 2010 15:00 On Wed, 24 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in article <hm32c1$d0n$5(a)news.eternal-september.org>, Rick wrote: >Moe Trin wrote: >> Rick wrote: >>> One more thing however, it only took 15 minutes from the first use of >>> the ftp server before these, let's call 'em probes, started. ONce upon >>> a time (before sonicwall) they would try a username-password script. >> As for the username-password stuff - be glad you aren't running a >> publicly visible SSH server on port 22. They get pounded trying all >> kinds of common usernames/passwords. >So moving to sftp would not help - is that what you're saying? Depends on what you are doing with FTP. There are tens of thousands of FTP sites on the Internet that allow anonymous downloads. I don't do windoze, but for Linux, you should be aware of places like ibiblio.org (the former sunsite.unc.edu, which was renamed metalab.unc.edu before it's current rename), 'distro.ibiblio.org' and the site specific to your Linux distribution. These sites are giving software/files away, and all you need is the username ('ftp' or 'anonymous') and your email address as password. Nothing to hide or secure, so FTP is fine. Other sites restrict access to specific users, and may even allow uploads. For this, FTP is less suitable, primarily because the username and password go over the net as clear text - visible to anyone using a packet sniffer. 'sftp' or similar protocol using encrypted networking, is a more robust solution. Still other sites have even tighter restrictions. For that, one-time authentication methods (often involving security tokens like SecurID (Security Dynamics Co - now rsa.com) or CryptoCard (cryptocard.com) or similar are more desirable. It's a bit dated, but see "Practical UNIX and Internet Security, Third Edition" by Garfinkel, Spafford, and Schwartz (O'Reilly and Associates, ISBN 0-596-00323-4, 984 pgs, Feb. 2003, US$55). Old guy
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: McAfee's Firewall and blocking Next: Call for papers: ISP-10, Orlando, USA, July 2010 |