|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
If you're willing, send me your logs of inappropriate connection attempts.
I wish to see if I can compile some useful info for our resident Trooper.
I was recently shocked by my realization that I had never turned logging on
in ipchains. I strongly recommend doing so (do a deny all with a -l as
your last rule, just before setting the default to DENY).
Since I turned on logging on March 11th, I noticed a bunch of
inappropriate connection attempts on predictable ports.
First column is connection attempt counts, last column is obvious reasons:
15 - 137/netbios-ns UDP - world readable/writeable windows fileshares
15 - 21/ftp TCP - anonymous ftp
12 - 111/sunrpc TCP - rpc holes / readable/writeable nfs exports
8 - 23/telnet TCP - unpassworded telnet
7 - 500/isakmp UDP - no idea.. ?
6 - 53/domain TCP - recent bad dns root exploit
2 - 1080/socks TCP - open proxy
1 - 555/dsf TCP - no idea
1 - 53/domain UDP - recent bad dns root exploit
1 - 27374/ TCP - no idea
Of course, I've got source IPs & timestamps for all of it. I'd like more
data. Feel free to send me yours.
Please do not post full logs to this list, mail me personally -
Darxus@ChaosReigns.com.
Oh, and if you're running a Linux server (anything with internet access)
and not running ipchains/iptables (kernel 2.2/2.4, respectively), do it NOW.
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO.txt
If it isn't obvious, I suggest not portscanning any of my boxes without my
express permission, as I intend to submit full logs to the Pennsylvania
State Troopers, Computer Crimes Devision.
--
http://www.ChaosReigns.com
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|