| View previous topic :: View next topic |
| Author |
Message |
doug-x07
Tux's lil' helper
Joined: 16 Nov 2002
Posts: 122
Location: Paris, France
|
 Posted: Tue Jan 21, 2003 8:59 pm Post subject: networking security question |
 |
|
I've got my firewall set up to log all uninitiated pacakets and any scan attempts. I seem to be getting about 30/50 bad udp packets a day all sent to port 2607 (Dell connection port)  All of this from a wide variety of ip addresses some of which are spoofed and some of which are spaced out at hourly intervals. Does anyone know exactly what this is? I presume it a common scan script. I just find it strange that only that particular port is getting scanned and that I'm not picking up any ping, stealth or xmas tree scans.
I can't decide at what point I should start appending new rules to my firewall to drop all trafic from frequently offending ip's. Anyone have any advice on the subject?
_________________
#! /usr/bin/perl
if( @first != $succeed ) {
post { $question->forum && eval '$answers' };
try { $again } catch { $problem && $resolve };
bless $posters; } |
|
| Back to top |
|
 |
Lomendil
n00b
Joined: 22 Jan 2003
Posts: 16
|
| Posted: Wed Jan 22, 2003 4:13 pm Post subject: |
|
|
What are you using to catch portscans?
If this were happening to me, I would try capturing the data packets to see exactly what was in them and whether they all might be related.
I wouldn't bother blocking specific ip's, unless you notice concentrated attacks. You're blocking these packets anyway (unless you want to capture some).
_________________
This is my .sig |
|
| Back to top |
|
|
doug-x07
Tux's lil' helper
Joined: 16 Nov 2002
Posts: 122
Location: Paris, France
|
| Posted: Wed Jan 22, 2003 6:02 pm Post subject: |
|
|
| Lomendil wrote: | What are you using to catch portscans?
|
I'm just using firewall rules. In this case it a rule for logging un etablished and unrelated trafic. I just used a set up along the lines of the Gentoo Security Guide and added a few other things. So far it seems to be quite efficient, though I'm surprised that I'm getting no nmap type scans.
| Lomendil wrote: | If this were happening to me, I would try capturing the data packets to see exactly what was in them and whether they all might be related.
|
Good idea  with iptables I just get minimal information in the logs from the kernel. I was planning to set up snort for network intrusion but have not got round to it yet. That should allow me to log the packets too.
| Lomendil wrote: | I wouldn't bother blocking specific ip's, unless you notice concentrated attacks
|
What sort of volume did you have in mind?
I still can't work out howcome all these packets are routed for port 2607. I can think of my interesting ports to target.
_________________
#! /usr/bin/perl
if( @first != $succeed ) {
post { $question->forum && eval '$answers' };
try { $again } catch { $problem && $resolve };
bless $posters; } |
|
| Back to top |
|
|
|
Networking & Security
