Date: Wed, 8 Aug 2001 23:15:35 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD-Stable <stable@freebsd.org> Subject: Re: Bridge? Message-ID: <Pine.BSF.4.32.0108082310090.82953-100000@topperwein.dyndns.org> In-Reply-To: <3B6A7025.A5F8643F@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Aug 2001, Ted Sikora wrote:
> Ha! an old one is back:
>
> Aug 2 20:07:36 dhcp-209-54-72-117 /kernel: arp: 192.168.1.1 is on ed0
> but got reply from 00:20:78:d4:a5:87 on dc0
> *********************************** WHO IS THIS??
> ***********************************
> Aug 2 20:08:02 dhcp-209-54-72-117 last message repeated 2 times
> Aug 2 20:10:00 dhcp-209-54-72-117 last message repeated 8 times
>
> I checked all my mac addreses .. IT'S NOT ON MY NETWORK!
> Unfortunately I was using 192.168.1.1 I changed the network addresses
> and so far it's quiet. That da** cable modem must be letting other users
> in from my node.??
That or someone's leaking packets from their 192.168.0.0/16 to the
outside world. I have a firewall rule to block inbound packets from
private networks on my outside NIC.
Conversely, after my natd divert rule, I have a rule to prevent my
own private network traffic from leaking out.
> I had this on one of my machines an attack??
>
> Aug 2 10:03:08 dhcp-209-54-72-114 ftpd[424]: refused PORT
> 9.100.139.211,1195 from sungold10.fr.ibm.com [194.196.100.115]
> Aug 2 10:25:20 dhcp-209-54-72-114 ftpd[466]: refused PORT
> 9.100.139.211,1213 from sungold10.fr.ibm.com [194.196.100.115]
> Aug 2 10:45:15 dhcp-209-54-72-114 ftpd[479]: francess@fr.ibm.com of
> sungold4.fr.ibm.com [194.196.100.100]: data connect from 194.196.100.101
> for /bin/ls
> Aug 2 10:45:22 dhcp-209-54-72-114 ftpd[479]: francess@fr.ibm.com of
> sungold4.fr.ibm.com [194.196.100.100]: data connect from 194.196.100.101
> for /bin/ls
> Aug 2 10:46:12 dhcp-209-54-72-114 ftpd[485]: francess@fr.ibm.com of
> sungold5.fr.ibm.com [194.196.100.101]: data connect from 194.196.100.114
> for /bin/ls
> Aug 2 10:47:01 dhcp-209-54-72-114 ftpd[487]: francess@fr.ibm.com of
> sungold9.fr.ibm.com [194.196.100.114]: data connect from 194.196.100.113
> for /bin/ls
> Aug 2 10:47:58 dhcp-209-54-72-114 ftpd[489]: francess@fr.ibm.com of
> sungold10.fr.ibm.com [194.196.100.115]: data connect from 194.196.100.99
> for /bin/ls
> Aug 2 10:48:04 dhcp-209-54-72-114 ftpd[489]: francess@fr.ibm.com of
> sungold10.fr.ibm.com [194.196.100.115]: data connect from
> 194.196.100.101 for /bin/ls
Possibly. Do you have ftpd running? If so, I'd shut it down.
There's nothing you can do with ftpd that you can't do better with scp
(or, if you must, sftp).
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0108082310090.82953-100000>