VanLUG Email Archive
bbarnett@L8R.net
Sun, 03 Jan 1999 10:28:48 -0800 (PST)
On 03-Jan-99 Brian Edmonds wrote:
> It looks like my machine was portscanned yesterday. Those of you on
> high speed, full time network links who have not taken a serious look at
> your security, do it now.
>
> I usually get a handful of TCP priviledged port rejects, but this is the
> first time I recall seeing thousands. I also got the first NFS/TCP
> (port 2049) rejects I can recall ever seeing.
>
>> IP firewall input rules, default policy: accept
>> pkts bytes type prot opt tosa tosx ifname ifaddress source
>> destination ports
>> 12841 514K rej tcp ---- 0xFF 0x00 eth1 0.0.0.0 0.0.0.0/0
>> 0.0.0.0/0 * -> 0:950
>> 19 760 rej tcp ---- 0xFF 0x00 eth1 0.0.0.0 0.0.0.0/0
>> 0.0.0.0/0 * -> 2049
>
> Syslog also recorded a number of reachable services on my box that could
> not figure out who was trying to talk to them, placing the time of the
> scan at 830pm. Does anyone know if this connection resetting is
> indicative of a particular type of scan?
>
>> Unknown syslog entries:
>> Jan 2 20:30:47 lios sshd[131]: error: accept: Connection reset by peer
>> Jan 2 20:30:50 lios wu.ftpd[11383]: warning: can't get client address:
>> Connection reset by peer
>> Jan 2 20:30:53 lios uucico[11385]: warning: can't get client address:
>> Connection reset by peer
>
> Brian.
I"ve noticed a lot of port scanning is being done solely to find an open socks
or bo port. These can be easily used to route through, and fake IP's...
---Dynamic Hosting http://www.L8R.net/ "We Provide Static Hostnames for Dynamic IP's"
This archive was generated by hypermail 2.0b3 on Sun 03 Jan 1999 - 10:33:54 PST