From owner-freebsd-security Tue Jun 15 6:37:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id 6E8B414C2D for ; Tue, 15 Jun 1999 06:37:16 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Tue, 15 Jun 99 06:36:48 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA28B2; Tue, 15 Jun 1999 09:37:15 -0400 Message-ID: <376657F1.C34C96A1@hamquist.com> Date: Tue, 15 Jun 1999 06:41:05 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Matthew Joseff" Cc: Subject: Re: /var/log/messages References: X-WSS-ID: 1B78897A256711-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "1) What can I do to avoid this?" Install tcp_wrappers and configure it to deny connections from this subnet (if you care). Alternatively, you might prefer to continue to collect information, the better to analyze the situation. "2) Can any *real* damage be done from someone connecting like this?" Yes, if (a) their intention is malicious, and (b) their attempts to exploit your system's possible vulnerabilities are successful. Otherwise, no. "3) What liabilities does this open the "offending" party's company to?" What damages have you suffered ? Furthermore, establishing the actual source of the packets can be problematic; this is where collecting additional information becomes of use. -- richard Richard Childers Senior UNIX Systems Administrator Hambrecht & Quist, LLC (415) 439-3838 Matthew Joseff wrote: > > Found this in my "messages" this morning: > > Jun 15 07:18:51 retribution rshd[19891]: connection from 193.221.47.155 on > illegal port 1574 > Jun 15 07:18:51 retribution rlogind[19890]: Connection from 193.221.47.155 > on illegal port > > questions: > > 1) What can I do to avoid this? > 2) Can any *real* damage be done from someone connecting like this? > 3) What liabilities does this open the "offending" party's company to? > > -- > Matthew Joseff, Sr. Web Developer > RCN Corp. 703-321-2410 > www.rcn.com NASDAQ: RCNC > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message