port scans
in [Firewalls]
|
From: Rick on 22 Feb 2010 15:26 Moe Trin wrote: > On Sun, 21 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in > article<hlrvgm$66h$1(a)news.eternal-september.org>, Rick wrote: > >> Moe Trin wrote: > >>> Rick wrote: > >>>> I have 1 ftp server and 3 simple pc's. >>>> Only the ftp server gets "port scanned". >>>> How do they know to scan that one? > >>> They don't. Are all four systems equally visible from the world? >>> Does each one have it's own `world reachable' IP address? > >> There is 1 external, non-static IP ==>modem==>router(DMZ)==>SonicWall==> >> linux FTP server, windows xp3, windoes xp3. > > One external address -> several systems. How is the SonicWall told > to route packets. Send them equally to all systems? Of course not. > Obviously it's not going to send packets for port 20-21/ftp to the > workstations, because that's not where the FTP server is. So look at > the way you've configured the SonicWall. > >> The latter all use LAN ip addresses of course. > > So it's all the SonicWall that's deciding how to route packets. > >> Since any ftp "user" would have to know the secret handshake I am >> wondering how the chinese and the koreans know about the ftp server! > > Unlikely that they do - they're scanning the entire external IP > range - perhaps as widely as 1.0.0.1 to 222.255.255.254 looking to > see "what is there". Linux server - do you have nmap installed? > The man page is extensive, and there's probably a lot more > documentation in /usr/share/nmap*/. They scan your address - let's > say it's 192.0.2.11 on the external side, and your SonicWall forwards > those packets to.... Nope, the Sonicwall LOG FILE says that those packets have been DROPPED (unceremoniously I presume). >> - just curious > > Do you intend to offer FTP service to every IP address in the world, or > are you only intending to offer to North America, Pennsylvania, or > New York City? IP addresses are not allocated/assigned in a simple > manner arranged for convenient filtering. For example, the IPv4 address > range 130.0.0.0 - 130.255.255.255 is allocated/assigned to 228 networks > in ten countries from New Zealand and Japan through Europe (Denmark and > France) to North America (Canada and USA). See > http://www.iana.org/assignments/ipv4-address-space for regional clues. > As of the 15th, there were 3007 million IPv4 addresses in 228 countries > in 100341 IP blocks. > > Old guy To get past the sonicwall you have to have the password (global vpn client) or the "secret" for the SSL tunnel (I think that's what it's called.).
From: Skywise on 22 Feb 2010 22:54 Regis <ordsec(a)gmail.org> wrote in news:84635p9rjz(a)e6g2000prf.googlegroups.com: > More constructively, though the upshod here is that access attempts > and port scans should be quite expected on any internet facing IP > address. Even to the level of the ordinary home user logging in to their ISP on a dialup modem. I recall watching my software firewall back in those days routinely blocking occasional port scans. Brian -- http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html Sed quis custodiet ipsos Custodes?
From: Regis on 23 Feb 2010 10:26 Rick <rick0.merrill(a)gmail.com.lessspam> writes: > Are you saying that they are checking EVERY POSSIBLE IP number? Not necessarily. Maybe. Probably. Depends on who's doing the scanning. Could be some other subscriber on your ISP scanning from afar out of curiosity, could be an attacker mapping out known registered DHCP pools from your ISP, or all ISP's. The bot herders are just looking for targets, and a lot of it may be automated scans done by other malware. You never know. > That should take a pretty LONG TIME, Not as long as you might think, and with so many computers, attackers and enterprising blackhats with botnets to distribute the work, it's doable. > yet here they are back-again the next day: > > 02/19/2010 59:05.5 " TCP" " 125.65.112.161," > security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," > 8000, X1 - " TCP" Port: 8000 > 02/20/2010 06:30.2 " TCP" " 125.65.112.161," > security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," > 7212, X1 - " TCP" Port: 7212 > 02/20/2010 23:03.2 " TCP" " 125.65.112.161," > security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," > 7212, X1 - " TCP" Port: 7212 > 02/20/2010 55:58.8 " TCP" " 125.65.112.161," > security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," > 7212, X1 - " TCP" Port: 7212 > > 4 failed attempts from the same originator. I can only see explaining > that by assuming that they somehow KNOW my server is there. How do > they know it is there? Would it help to get a new IP address? Do not ascribe to directed malice that which can be more adequately explained by the usual, happens every day to everybody large scale reconnaissance.
From: Rick on 23 Feb 2010 11:05 Regis wrote: > Rick<rick0.merrill(a)gmail.com.lessspam> writes: > >> Are you saying that they are checking EVERY POSSIBLE IP number? > > Not necessarily. Maybe. Probably. Depends on who's doing the > scanning. Could be some other subscriber on your ISP scanning from > afar out of curiosity, Sam Spade says that is definitely not the case. > could be an attacker mapping out known > registered DHCP pools from your ISP, or all ISP's. Checking the attacker ip shows that is not the case either. I certainly agree that it COULD be, and one time it was and believe-it-or-not I actually got them to fix their vampired server. > The bot herders > are just looking for targets, and a lot of it may be automated scans > done by other malware. You never know. Yes, I know, but I think we should institute our own Fire-Back Bot Herd! >> That should take a pretty LONG TIME, > > Not as long as you might think, and with so many computers, attackers > and enterprising blackhats with botnets to distribute the work, it's > doable. One assumes that IP6 will make such work more difficult! >> yet here they are back-again the next day: >> >> 02/19/2010 59:05.5 " TCP" " 125.65.112.161," >> security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," >> 8000, X1 - " TCP" Port: 8000 >> 02/20/2010 06:30.2 " TCP" " 125.65.112.161," >> security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," >> 7212, X1 - " TCP" Port: 7212 >> 02/20/2010 23:03.2 " TCP" " 125.65.112.161," >> security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," >> 7212, X1 - " TCP" Port: 7212 >> 02/20/2010 55:58.8 " TCP" " 125.65.112.161," >> security(a)mail.sc.cninfo.net 12200, X1 - " 192.168.1.205," >> 7212, X1 - " TCP" Port: 7212 >> >> 4 failed attempts from the same originator. I can only see explaining >> that by assuming that they somehow KNOW my server is there. How do >> they know it is there? Would it help to get a new IP address? > > Do not ascribe to directed malice that which can be more adequately > explained by the usual, happens every day to everybody large scale > reconnaissance. Actually, I did not say 'malice' although it's fair for you to assume it - they might just be curious, as I am, about what's out there.
From: Leythos on 23 Feb 2010 18:34 In article <hm0uof$1h0$2(a)news.eternal-september.org>, rick0.merrill(a)gmail.com.lessspam says... > So you're saying it is a coincidence and I should "echo off paranoia". > I have 32 IP addresses and a Commercial Grade firewall on our network. We see about 8000 attempts per day across those IP's - it's almost always a range of ports they scan from the same IP - the ones I consider the largest threat are the ones that scan 5-10 ports every day, slowly, so that they are harder to detect if you're not sure what you're looking for. Do I worry about them - not much, but I have about 60 IP subnets in our permanent block list (mostly outside the USA). -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: McAfee's Firewall and blocking Next: Call for papers: ISP-10, Orlando, USA, July 2010 |