Page 2 of 2 FirstFirst 12
Results 21 to 29 of 29

Thread: port scans

  1. #21
    Leythos
    Guest

    Re: port scans

    In article <hm0uof$1h0$2@news.eternal-september.org>,
    rick0.merrill@gmail.com.lessspam says...
    > So you're saying it is a coincidence and I should "echo off paranoia".
    >


    I have 32 IP addresses and a Commercial Grade firewall on our network.
    We see about 8000 attempts per day across those IP's - it's almost
    always a range of ports they scan from the same IP - the ones I consider
    the largest threat are the ones that scan 5-10 ports every day, slowly,
    so that they are harder to detect if you're not sure what you're looking
    for.

    Do I worry about them - not much, but I have about 60 IP subnets in our
    permanent block list (mostly outside the USA).

    --
    You can't trust your best friends, your five senses, only the little
    voice inside you that most civilians don't even hear -- Listen to that.
    Trust yourself.
    spam999free@rrohio.com (remove 999 for proper email address)

  2. #22
    Rick
    Guest

    Re: port scans

    Leythos wrote:
    > In article<hm0uof$1h0$2@news.eternal-september.org>,
    > rick0.merrill@gmail.com.lessspam says...
    >> So you're saying it is a coincidence and I should "echo off paranoia".
    >>

    >
    > I have 32 IP addresses and a Commercial Grade firewall on our network.
    > We see about 8000 attempts per day across those IP's - it's almost
    > always a range of ports they scan from the same IP - the ones I consider
    > the largest threat are the ones that scan 5-10 ports every day, slowly,
    > so that they are harder to detect if you're not sure what you're looking
    > for.
    >
    > Do I worry about them - not much, but I have about 60 IP subnets in our
    > permanent block list (mostly outside the USA).
    >


    Have you seen one of these, and what might it mean?

    02/21/2010 00:05:40.608 - Notice - Network Access - UDP packet
    dropped - 192.168.1.70, 5353, X1 - 224.0.0.251, 5353 - UDP Apple Bonjour
    02/21/2010 00:06:44.608 - Notice - Network Access - UDP packet
    dropped - 192.168.1.70, 5353, X1 - 224.0.0.251, 5353 - UDP Apple Bonjour


    Sam Spade says 224.... is reserved...



  3. #23
    Moe Trin
    Guest

    Re: port scans

    On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    article <hm0uof$1h0$2@news.eternal-september.org>, Rick wrote:

    >Moe Trin wrote:


    >> Sorry to disappoint you - but you aren't that important. EVERYONE is
    >> seeing (and ignoring) this stuff. They really aren't picking on your
    >> address any more than they're picking on everyone else.


    >So you're saying it is a coincidence and I should "echo off paranoia".


    I think that's 'echo 0 > paranoia' but yeah that's about the size of it.

    >One more thing however, it only took 15 minutes from the first use of
    >the ftp server before these, let's call 'em probes, started. ONce upon
    >a time (before sonicwall) they would try a username-password script.


    Perhaps a coincidence - I mentioned the port 12200 source stuff as being
    a script - it's just looking for something to respond (when it does,
    the actual controller box will make a connection and do it's thing).
    For just looking at an "are you alive" type response, a single computer
    can test a /8 (a former "Class 'A'") address range in about 17 minutes,
    all by itself. That limit is set by the 10 MHz bandwidth of the old
    style Ethernet. If it's on a 100BaseT net, it's about twice as fast.

    As for the username-password stuff - be glad you aren't running a
    publicly visible SSH server on port 22. They get pounded trying all
    kinds of common usernames/passwords.

    Old guy

  4. #24
    Moe Trin
    Guest

    Re: port scans

    On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    article <hm20c5$1vd$1@news.eternal-september.org>, Rick wrote:

    >Leythos wrote:


    >> We see about 8000 attempts per day across those IP's - it's almost
    >> always a range of ports they scan from the same IP - the ones I
    >> consider the largest threat are the ones that scan 5-10 ports every
    >> day, slowly, so that they are harder to detect if you're not sure
    >> what you're looking for.


    >> Do I worry about them - not much, but I have about 60 IP subnets in
    >> our permanent block list (mostly outside the USA).


    The only service that I offer (SSH) is limited to 3 subnets - 1530
    addresses in total. Cuts the noise down substantially.

    >Have you seen one of these, and what might it mean?


    >02/21/2010 00:05:40.608 - Notice - Network Access - UDP packet
    >dropped - 192.168.1.70, 5353, X1 - 224.0.0.251, 5353 -
    > UDP Apple Bonjour


    It's telling you - "Apple Bonjour". You've got a Linux box running
    Avahi, or a Mac. I'm betting on the Linux box, so try 'locate avahi'
    to find the documentation.

    >Sam Spade says 224.... is reserved...


    http://www.iana.org/assignments/multicast-addresses

    Sam Spade is rather clueless.

    Old guy

  5. #25
    Rick
    Guest

    Re: port scans

    Moe Trin wrote:
    > On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    > article<hm0uof$1h0$2@news.eternal-september.org>, Rick wrote:
    >
    >> Moe Trin wrote:

    >
    >>> Sorry to disappoint you - but you aren't that important. EVERYONE is
    >>> seeing (and ignoring) this stuff. They really aren't picking on your
    >>> address any more than they're picking on everyone else.

    >
    >> So you're saying it is a coincidence and I should "echo off paranoia".

    >
    > I think that's 'echo 0> paranoia' but yeah that's about the size of it.
    >
    >> One more thing however, it only took 15 minutes from the first use of
    >> the ftp server before these, let's call 'em probes, started. ONce upon
    >> a time (before sonicwall) they would try a username-password script.

    >
    > Perhaps a coincidence - I mentioned the port 12200 source stuff as being
    > a script - it's just looking for something to respond (when it does,
    > the actual controller box will make a connection and do it's thing).
    > For just looking at an "are you alive" type response, a single computer
    > can test a /8 (a former "Class 'A'") address range in about 17 minutes,
    > all by itself. That limit is set by the 10 MHz bandwidth of the old
    > style Ethernet. If it's on a 100BaseT net, it's about twice as fast.
    >
    > As for the username-password stuff - be glad you aren't running a
    > publicly visible SSH server on port 22. They get pounded trying all
    > kinds of common usernames/passwords.
    >
    > Old guy


    So moving to sftp would not help - is that what you're saying?


  6. #26
    Moe Trin
    Guest

    Re: port scans

    On Wed, 24 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    article <hm32c1$d0n$5@news.eternal-september.org>, Rick wrote:

    >Moe Trin wrote:


    >> Rick wrote:


    >>> One more thing however, it only took 15 minutes from the first use of
    >>> the ftp server before these, let's call 'em probes, started. ONce upon
    >>> a time (before sonicwall) they would try a username-password script.


    >> As for the username-password stuff - be glad you aren't running a
    >> publicly visible SSH server on port 22. They get pounded trying all
    >> kinds of common usernames/passwords.


    >So moving to sftp would not help - is that what you're saying?


    Depends on what you are doing with FTP. There are tens of thousands
    of FTP sites on the Internet that allow anonymous downloads. I don't
    do windoze, but for Linux, you should be aware of places like ibiblio.org
    (the former sunsite.unc.edu, which was renamed metalab.unc.edu before
    it's current rename), 'distro.ibiblio.org' and the site specific to your
    Linux distribution. These sites are giving software/files away, and all
    you need is the username ('ftp' or 'anonymous') and your email address
    as password. Nothing to hide or secure, so FTP is fine.

    Other sites restrict access to specific users, and may even allow
    uploads. For this, FTP is less suitable, primarily because the
    username and password go over the net as clear text - visible to
    anyone using a packet sniffer. 'sftp' or similar protocol using
    encrypted networking, is a more robust solution.

    Still other sites have even tighter restrictions. For that, one-time
    authentication methods (often involving security tokens like SecurID
    (Security Dynamics Co - now rsa.com) or CryptoCard (cryptocard.com)
    or similar are more desirable.

    It's a bit dated, but see "Practical UNIX and Internet Security, Third
    Edition" by Garfinkel, Spafford, and Schwartz (O'Reilly and Associates,
    ISBN 0-596-00323-4, 984 pgs, Feb. 2003, US$55).

    Old guy

  7. #27
    Moe Trin
    Guest

    Re: port scans

    On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    article <hm0uog$1h0$3@news.eternal-september.org>, Rick wrote:

    >Regis wrote:


    >Yes, I know, but I think we should institute our own Fire-Back Bot
    >Herd!


    Already addressed. Bad idea.

    >> Not as long as you might think, and with so many computers,
    >> attackers and enterprising blackhats with botnets to distribute
    >> the work, it's doable.


    >One assumes that IP6 will make such work more difficult!


    2/15/2010 23:50 UTC

    TOTAL IPv4 3006793288 addresses 100341 networks
    TOTAL IPv6 11064.336853 x 10e30 addresses 4377 networks

    The _smallest_ IPv6 assignments are four /64s (in the UK, Hong Kong,
    Japan and Korea), and each one contains 18,446,744,073,709,551,616
    (18.45e18) addresses - about 4.3 billion times all of IPv4 space.
    The next larger assignments/allocations are 676 /48s which are 65536
    times larger.

    Old guy

  8. #28
    Rick
    Guest

    Re: port scans

    Moe Trin wrote:
    > On Wed, 24 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    > article<hm32c1$d0n$5@news.eternal-september.org>, Rick wrote:
    >
    >> Moe Trin wrote:

    >
    >>> Rick wrote:

    >
    >>>> One more thing however, it only took 15 minutes from the first use of
    >>>> the ftp server before these, let's call 'em probes, started. ONce upon
    >>>> a time (before sonicwall) they would try a username-password script.

    >
    >>> As for the username-password stuff - be glad you aren't running a
    >>> publicly visible SSH server on port 22. They get pounded trying all
    >>> kinds of common usernames/passwords.

    >
    >> So moving to sftp would not help - is that what you're saying?

    >
    > Depends on what you are doing with FTP. There are tens of thousands
    > of FTP sites on the Internet that allow anonymous downloads. I don't
    > do windoze, but for Linux, you should be aware of places like ibiblio.org
    > (the former sunsite.unc.edu, which was renamed metalab.unc.edu before
    > it's current rename), 'distro.ibiblio.org' and the site specific to your
    > Linux distribution. These sites are giving software/files away, and all
    > you need is the username ('ftp' or 'anonymous') and your email address
    > as password. Nothing to hide or secure, so FTP is fine.
    >
    > Other sites restrict access to specific users, and may even allow
    > uploads. For this, FTP is less suitable, primarily because the
    > username and password go over the net as clear text - visible to
    > anyone using a packet sniffer. 'sftp' or similar protocol using
    > encrypted networking, is a more robust solution.
    >
    > Still other sites have even tighter restrictions. For that, one-time
    > authentication methods (often involving security tokens like SecurID
    > (Security Dynamics Co - now rsa.com) or CryptoCard (cryptocard.com)
    > or similar are more desirable.
    >
    > It's a bit dated, but see "Practical UNIX and Internet Security, Third
    > Edition" by Garfinkel, Spafford, and Schwartz (O'Reilly and Associates,
    > ISBN 0-596-00323-4, 984 pgs, Feb. 2003, US$55).
    >
    > Old guy


    Thanks for the info and the reference.

    It's clear from logs that they do not know my ftp server is <username>
    "anonymous" but requires any email address in the <password> field! So
    they keep trying to find the above. So I conclude that they do not
    really know much about it. And it has no classified info, ever, so my
    concern is strictly theoretical.



  9. #29
    Moe Trin
    Guest

    Re: port scans

    On Thu, 25 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
    article <hm6rsg$d1p$3@news.eternal-september.org>, Rick wrote:

    >Moe Trin wrote:


    >> Depends on what you are doing with FTP.


    >> It's a bit dated, but see "Practical UNIX and Internet Security, Third
    >> Edition" by Garfinkel, Spafford, and Schwartz (O'Reilly and Associates,
    >> ISBN 0-596-00323-4, 984 pgs, Feb. 2003, US$55).


    >Thanks for the info and the reference.


    Even the second edition (April 1996, ISBN 1-56592-148-8 1004 pgs) is
    good reading and mainly still valid if you find a copy in a used book
    store or library. Another good reading source in the HOWTOs from the
    Linux Documentation Project. These used to be part of every install
    (now put in /usr/share/HOWTO), If you're in North America, try
    ftp://ibiblio.org/pub/linux/docs/HOWTO/ (also available as http://)
    or http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html. There are 450+
    documents (~3.9 million words, ~11,700 pages) there alone - start with

    280957 Jan 19 14:15 HOWTO-INDEX
    136805 Jan 19 14:15 INDEX

    which gives brief descriptions of each one. Another site to look at
    is http://www.netfilter.org/documentation/HOWTO/ which has a number of
    other howtos relating to firewall techniques using Linux. And yet
    another site is http://tldp.org/guides.html which has 47 entire
    books available in several formats from raw ASCII, HTML and printer
    ready PDFs or postscripts. An example is:

    * Securing & Optimizing Linux: The Ultimate Solution

    version: 2.0
    author: Gerhard Mourani, <gmourani@openna.com>
    last update: July 2002
    available formats:
    1. PDF (6.2MB)
    2. Example server configuration files (tar file; described in book
    as "floppy.tgz").

    Mastering security with Linux and getting the maximum out of your
    system have never been easier. Securing & Optimizing Linux: The
    Ultimate Solution (v2.0) has been written and achieved with
    tightening security to an incomparable level in mind. One of its
    main features is the easy path from beginning to end in a smooth
    manner, step by step for beginners as well as for experts.
    More information (and updates) available from:
    http://www.openna.com/products/books.php.
    older version: Securing and Optimizing Linux Red Hat Edition - A
    Hands on Guide

    version: 1.3
    author: Gerhard Mourani, <gmourani@openna.com>
    last update: August 2000
    available formats:
    1. HTML (read online)
    2. HTML (tarred and gzipped package, 1.5MB)
    3. PDF (4.9MB)
    4. Example server configuration files (tar file; described in book
    as "floppy.tgz").

    All of this is free for your download.

    >It's clear from logs that they do not know my ftp server is <username>
    >"anonymous" but requires any email address in the <password> field!


    1635 How to Use Anonymous FTP. P. Deutsch, A. Emtage, A. Marine. May
    1994. (Format: TXT=27258 bytes) (Also FYI0024) (Status:
    INFORMATIONAL)

    >So they keep trying to find the above. So I conclude that they do not
    >really know much about it. And it has no classified info, ever, so my
    >concern is strictly theoretical.


    Makes you wonder, doesn't it. RFC1635 has been around for 16 years,
    but they're sure you've got the good stuff hidden there, and they have
    to work to find it. ;-)

    Old guy

Similar Threads

  1. Very high Network buffer - Netalyzr
    By HanDy_man in forum Broadband Tweaks Help
    Replies: 11
    Last Post: 03-03-11, 11:49 PM
  2. (long post) New system and new tech advice and help.
    By osuprowler in forum Hardware & Overclocking
    Replies: 11
    Last Post: 10-07-08, 10:05 PM
  3. Problem in Port Forwarding for Windows Remote Desktop or VNC
    By Alterego in forum Networking Forum
    Replies: 4
    Last Post: 09-17-08, 09:22 AM
  4. Are they rationing rice in your area yet?
    By RoundEye in forum General Discussion Board
    Replies: 10
    Last Post: 04-24-08, 08:21 PM
  5. Katrina victim sues U.S. for $3 quadrillion
    By YARDofSTUF in forum General Discussion Board
    Replies: 44
    Last Post: 01-31-08, 01:33 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •