From owner-freebsd-isp Sat Mar 7 08:06:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA21899 for freebsd-isp-outgoing; Sat, 7 Mar 1998 08:06:47 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from nak.myhouse.com (nak.myhouse.com [209.70.45.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA21894 for ; Sat, 7 Mar 1998 08:06:45 -0800 (PST) (envelope-from zoonie@myhouse.com) Received: from localhost (zoonie@localhost) by nak.myhouse.com (8.8.8/8.8.7) with SMTP id LAA20946; Sat, 7 Mar 1998 11:05:34 -0500 (EST) (envelope-from zoonie@myhouse.com) X-Authentication-Warning: nak.myhouse.com: zoonie owned process doing -bs Date: Sat, 7 Mar 1998 11:05:34 -0500 (EST) From: zoonie To: kris@airnet.net cc: David Babler , freebsd-isp@FreeBSD.ORG Subject: Re: Port 137 access - somebody monkeying around? In-Reply-To: <3500E11B.ACD322CF@ninbox.ml.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i agree about being paranoid, if your system is net attached you should be paranoid. i am....i see the same type of stuff all the time in my logs but i really don't worry about it since it's all dropped..... On Fri, 6 Mar 1998, Kris Kirby wrote: > David Babler wrote: > > > My ipfw rules deny and log all services that I don't support here, and > > I've noticed that I will often see a string of access attempts on my port > > 137 (NetBIOS Name Service) from foreign addresses (not once from any of my > > dialup customers). I was under the impression that these contacts might be > > Bad Guys trying to take advantage of some known exploit, thinking I was > > running NT or something. Is that a valid assumption, or is there some > > legitimate reason why foreign IPs should be trying to connect to that > > port? I complained once to a system one of whose dialup customers > > continued a port 137 probe on and off for an hour. When the user was > > contacted, he claimed he had NO IDEA what we were talking about, that he > > might have just "tried something" with a browser. > > My question is this: Why are you worried about rejects? I'd make your > alarms go off if I piped "QUIT" throught Netcat. What you should worry > about is if they can get by the rules. > > > Am I being too paranoid? > > H-E-L-K No. You can never be too paranoid about security. > > -- > > Kris Kirby > ------------------------------------------- > TGIFreeBSD... 'Nuff said. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message