From owner-freebsd-questions Sat Mar 24 8:42:59 2001 Delivered-To: freebsd-questions@freebsd.org Received: from edwin.mounet.com (edwin.mounet.com [216.145.76.8]) by hub.freebsd.org (Postfix) with SMTP id B347837B71B for ; Sat, 24 Mar 2001 08:42:51 -0800 (PST) (envelope-from hornback@wireco.net) Received: (qmail 22652 invoked by uid 0); 24 Mar 2001 16:26:46 -0000 Received: from unknown (HELO tomcat) (216.145.67.77) by mounet.com with SMTP; 24 Mar 2001 16:26:46 -0000 From: "Andrew C. Hornback" To: "Jim Freeze" Cc: "FreeBSD Questions" Subject: RE: Meaging of Security Check? Date: Sat, 24 Mar 2001 11:43:32 -0500 Message-ID: <003b01c0b481$8ff5b7c0$0e00000a@tomcat> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-Reply-To: Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze > Sent: Saturday, March 24, 2001 7:50 AM > To: questions@freebsd.org > Subject: Meaging of Security Check? > > > Hi: > > I received the following security check and was wondering what it means: > > eeyore1 security check output > > eeyore1 kernel log messages: > > x3f8-0x3ff irq 4 flags 0x10 on isa > > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0 > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > ...where the above is repeated for about 100 lines > > I looked up port 67 in /etc/services and it says: > > bootps 67/tcp dhcps #Bootstrap Protocol Server > bootps 67/udp dhcps #Bootstrap Protocol Server > > nslookup says: > > % nslookup 24.2.7.70 > Server: proxy1.lxintn1.ky.home.com > Address: 24.5.116.15 > > Name: lh1.rdc1.tn.home.com > Address: 24.2.7.70 > > Can someone explain what is happening here? To my (semi)trained eye... you're subject to a new form of a DoS attack. Unless you have a machine that requires the use of port 67 for some reason (i.e. booting via the network), use an ipfw rule to block that port, and have a talk with the people at home.com about your machine being attacked. Also, you might want to do a security audit to make sure that they weren't successful at one point in time. --- Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message