From owner-freebsd-security  Thu Jan 21 03:09:48 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA19896
          for freebsd-security-outgoing; Thu, 21 Jan 1999 03:09:48 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (p15-max3.wlg.ihug.co.nz [209.79.142.79])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA19888
          for <security@FreeBSD.ORG>; Thu, 21 Jan 1999 03:09:43 -0800 (PST)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with ESMTP id AAA09563;
	Fri, 22 Jan 1999 00:08:31 +1300 (NZDT)
	(envelope-from andrew@squiz.co.nz)
Date: Fri, 22 Jan 1999 00:08:17 +1300 (NZDT)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Anthony Kim <anthony@enteract.com>
cc: "security@FreeBSD.ORG" <security@FreeBSD.ORG>
Subject: Re: TCP port question IPFW
In-Reply-To: <36A6E700.CEC5418C@enteract.com>
Message-ID: <Pine.BSF.4.05.9901212359090.323-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


> I'm sort of annoyed...there is some IP who is constantly filling up my
> ipfw logs with TCP port 1719 attempts daily. The hours are late in the

If you're annoyed by the log entries, but not concerned by them, then
don't log entries from their IP to that port.  Among other things, this
sort of practice makes it more likely you'll see important log info.
Logging too much is a bad thing.  OTOH, it can clutter your firewall
ruleset.

> evening until around 2am, then it begins again shortly after 6pm (he or
> she must have come home from work and felt like bugging me). More
> recently I see requests for TCP port 1106 in my logs as well from them.
> A quick search on the web showed 1719 was h323gatestat. Can someone tell
> me what that is? I didn't find anything on TCP port 1106 either. Any
> info is greatly appreciated. Also, anyway I can track this person down?
> traceroute works but no hostname returns.

You might be able to identify their service provider from other entries in
the traceroute.  Also, doing a reverse lookup on other IP's in the same
class C network often clarifies who owns the network.  

It's often possible to connect to services like telnet, smtp, ftp and get
a machine name.  This basically ammounts to a localised port scan.  It's
easily justified, but I wonder if people ever get into trouble with their
ISP's as a result of it.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message