Date: Fri, 02 Jul 1999 09:56:47 -1000 From: "Art Neilson, KH7PZ" <art@hawaii.rr.com> To: Doug <Doug@gorean.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw denials Message-ID: <3.0.6.32.19990702095647.03318220@clients1.hawaii.rr.com> In-Reply-To: <Pine.BSF.4.05.9907021238020.25108-100000@dt054n86.san.rr.c om> References: <3.0.6.32.19990702085945.008755d0@clients1.hawaii.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:42 PM 7/2/99 -0700, you wrote:
>On Fri, 2 Jul 1999, Art Neilson, KH7PZ wrote:
>
>> Hey, I'm getting some interesting denies now that I have erected my
>> firewall, I notice a few different sites trying to UDP connect to me
>> from their port 8000 to my 137. 137 is Netbios name service? I don't
>> have Samba or any netbios junk running in my system. One of the attemps
>> was from utexas, another from stone.scour.net. Anyone know what the deal
>> is? What stuff I should expect to see and what stuff looks like a
break-in?
>
> Yep, just one example of windows brain-deadedness. Stuff like that
>isn't uncommon, and as long as it's not happening repeatedly from the same
>IP block you should be fine.
Right, it does seem to be a Windows thing. I've noticed my Windows box
doing the same kind of thing before.
> Generally "random looking" stuff from a variety of IP blocks are
>not hack attempts, just weird or misconfigured clients. When you see lots
>of hits on ports like 21-23 from the same IP, or if you see lots of
>sequential access to a whole bunch of ports in a row, these are possible
>intrusion attempts. It's helpful when you see that to send a *polite* note
>to the system admin of that site and let them know that someone is playing
>games.
>
> Of course, a lot of people could give you more detailed info, but
>for the most part it's not the stuff you *see* that gets you, it's the
>stuff that you don't see. :) (how's that for a comforting thought)
No, you're advice is excellent and gives me a general idea of what patterns
to look for in my logs. Makes sense.
When you talk about the stuff you don't see, you are speaking of stuff which
slips past the wall? I noticed on the ipfw man page that it has the
capability
to spot source routed packets via the ipoption ssrr. Is it worth writing a
rule to block any source routed packets? I suppose if they can spoof via
source routing they can also fraggle and rebuild the packets once past the
wall.
There's no way to protect against that I suppose?
>
>73,
>
>Doug
>--
>On account of being a democracy and run by the people, we are the only
>nation in the world that has to keep a government four years, no matter
>what it does.
> -- Will Rogers
>
>
__
/ ) _/_ It is a capital mistake to theorise before one has data.
/--/ __ / Insensibly one begins to twist facts to suit theories,
/ (_/ (_<__ Instead of theories to suit facts.
-- Sherlock Holmes, "A Scandal in Bohemia"
Arthur W. Neilson III, KH7PZ
Bank of Hawaii Tech Support
art@hawaii.rr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.19990702095647.03318220>