Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 2 Jul 1999 12:42:46 -0700 (PDT)
From:      Doug <Doug@gorean.org>
To:        "Art Neilson, KH7PZ" <art@hawaii.rr.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw denials
Message-ID:  <Pine.BSF.4.05.9907021238020.25108-100000@dt054n86.san.rr.com>
In-Reply-To: <3.0.6.32.19990702085945.008755d0@clients1.hawaii.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 2 Jul 1999, Art Neilson, KH7PZ wrote:

> Hey, I'm getting some interesting denies now that I have erected my
> firewall, I notice a few different sites trying to UDP connect to me
> from their port 8000 to my 137.  137 is Netbios name service?  I don't
> have Samba or any netbios junk running in my system.  One of the attemps
> was from utexas, another from stone.scour.net.  Anyone know what the deal
> is?  What stuff I should expect to see and what stuff looks like a break-in?

	Yep, just one example of windows brain-deadedness. Stuff like that
isn't uncommon, and as long as it's not happening repeatedly from the same
IP block you should be fine. 

	Generally "random looking" stuff from a variety of IP blocks are
not hack attempts, just weird or misconfigured clients. When you see lots
of hits on ports like 21-23 from the same IP, or if you see lots of
sequential access to a whole bunch of ports in a row, these are possible
intrusion attempts. It's helpful when you see that to send a *polite* note
to the system admin of that site and let them know that someone is playing
games. 

	Of course, a lot of people could give you more detailed info, but
for the most part it's not the stuff you *see* that gets you, it's the
stuff that you don't see. :) (how's that for a comforting thought)

73,

Doug
-- 
On account of being a democracy and run by the people, we are the only
nation in the world that has to keep a government four years, no matter
what it does.
                -- Will Rogers



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9907021238020.25108-100000>