From owner-freebsd-questions  Fri Jul  2 12:42:52 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from dt054n86.san.rr.com (dt054n86.san.rr.com [24.30.152.134])
	by hub.freebsd.org (Postfix) with ESMTP id F16B514E45
	for <freebsd-questions@FreeBSD.ORG>; Fri,  2 Jul 1999 12:42:49 -0700 (PDT)
	(envelope-from Doug@gorean.org)
Received: from localhost (doug@localhost)
	by dt054n86.san.rr.com (8.8.8/8.8.8) with ESMTP id MAA25171;
	Fri, 2 Jul 1999 12:42:46 -0700 (PDT)
	(envelope-from Doug@gorean.org)
Date: Fri, 2 Jul 1999 12:42:46 -0700 (PDT)
From: Doug <Doug@gorean.org>
X-Sender: doug@dt054n86.san.rr.com
To: "Art Neilson, KH7PZ" <art@hawaii.rr.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfw denials
In-Reply-To: <3.0.6.32.19990702085945.008755d0@clients1.hawaii.rr.com>
Message-ID: <Pine.BSF.4.05.9907021238020.25108-100000@dt054n86.san.rr.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 2 Jul 1999, Art Neilson, KH7PZ wrote:

> Hey, I'm getting some interesting denies now that I have erected my
> firewall, I notice a few different sites trying to UDP connect to me
> from their port 8000 to my 137.  137 is Netbios name service?  I don't
> have Samba or any netbios junk running in my system.  One of the attemps
> was from utexas, another from stone.scour.net.  Anyone know what the deal
> is?  What stuff I should expect to see and what stuff looks like a break-in?

	Yep, just one example of windows brain-deadedness. Stuff like that
isn't uncommon, and as long as it's not happening repeatedly from the same
IP block you should be fine. 

	Generally "random looking" stuff from a variety of IP blocks are
not hack attempts, just weird or misconfigured clients. When you see lots
of hits on ports like 21-23 from the same IP, or if you see lots of
sequential access to a whole bunch of ports in a row, these are possible
intrusion attempts. It's helpful when you see that to send a *polite* note
to the system admin of that site and let them know that someone is playing
games. 

	Of course, a lot of people could give you more detailed info, but
for the most part it's not the stuff you *see* that gets you, it's the
stuff that you don't see. :) (how's that for a comforting thought)

73,

Doug
-- 
On account of being a democracy and run by the people, we are the only
nation in the world that has to keep a government four years, no matter
what it does.
                -- Will Rogers



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message