I have a static IP, but nothing points to my machine yet (meaning DNS or any links). The only way people could find my IP address is by my mail or port scanning the network, I'd guess. Anyway, I surprised how often my firewall rejects connections. I get quite a few telnet and ftp attempts (those are blocked not by the firewall, but with tcpwrappers which does a finger of them when they try to connect), but also for port 137 which is netbios ns. Anyone know what people are trying when they try to connect to port 137? Is this just a fact of life that everyday people try to access? Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hi netbios ns is used by windows clients for file and print sharing. So the most likely source of these connections is fairly innocuous. There is very little you can do to stop windows clients from trying to connect to your machine do to the insane communications protocols MS dedided to use. Andy On Fri, 26 May 2000, you wrote:
I have a static IP, but nothing points to my machine yet (meaning DNS or any links). The only way people could find my IP address is by my mail or port scanning the network, I'd guess.
Anyway, I surprised how often my firewall rejects connections. I get quite a few telnet and ftp attempts (those are blocked not by the firewall, but with tcpwrappers which does a finger of them when they try to connect), but also for port 137 which is netbios ns.
Anyone know what people are trying when they try to connect to port 137?
Is this just a fact of life that everyday people try to access?
Bill Moseley mailto:moseley@hank.org
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- Molecular & Cellular Biology, Division of Biomedical Sciences, Queen Mary & Westfield College, Mile End Road, London E1 4NS. Tel: 0044 (0) 20 79 75 55 55 Extn 4923 Fax: 0044 (0) 20 89 83 05 31 -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Andrew James Benie tapped away at the keyboard with:
netbios ns is used by windows clients for file and print sharing. So the most likely source of these connections is fairly innocuous. There is very little you can do to stop windows clients from trying to connect to your machine do to the insane communications protocols MS dedided to use.
I've had good results simply asking an ISP of the "offender" why my port was "pinged" by one of their systems. It can even be an IMAP (port 143) attempt. As far as I know; there's no legitimate reason why a stranger should attempt to try to connect to that port so I simply asked them to explain why it happened, providing log information from the firewall. Their response a few days later: Dear Sir/Madam, We have identified the account that sourced that attack and have taken appropriate action against them. If any of these attacks occur in the future do not hesitate to contact us. Note that I never mentioned the word attack in my email to them. They obviously understand that there might be a problem; especially with spammers trying their best to abuse the fragile network. Keep an eye on your log files. Report any apparent problems to the ISP concerned. Another trick; if you don't want to relay email via (e)smtp; don't tell them immediately. Wait for between 30 seconds to 2 minutes, then tell them. If everybody did that, then the spammers would take about 10 times as long to find an "open" port. -- Bernd Felsche - Innovative Reckoning Perth, Western Australia -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Fri, 26 May 2000, Bill Moseley wrote:
I have a static IP, but nothing points to my machine yet (meaning DNS or any links). The only way people could find my IP address is by my mail or port scanning the network, I'd guess.
Anyway, I surprised how often my firewall rejects connections. I get quite a few telnet and ftp attempts (those are blocked not by the firewall, but with tcpwrappers which does a finger of them when they try to connect), but also for port 137 which is netbios ns.
Anyone know what people are trying when they try to connect to port 137?
Is this just a fact of life that everyday people try to access?
You will see spammers [both email and news] scanning for open email and newservers. Others are looking for machines to use to attack others. Some are just kids looking to prove they can. But most of the stuff I see is people trying to connect to game servers. If your machine can be used for somebody elses advantage it will be so just keep it locked up tight. Nick -- Nick Zentena "The Linux issue," Wladawsky-Berger explained, "is whether this is a fundamentally disruptive technology, like the microprocessor and the Internet? We're betting that it is." -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Bill Moseley wrote:
Anyone know what people are trying when they try to connect to port 137?
I may be wrong (wouldn't be the first time) but quite a lot of these so-called "probes" that firewalls report, are simply your ISP doing a form of 'ping' to see if your network (or dialup) connection is still active. In this day & age of bandwidth shortages, it is in the ISPs' interest to kil your connection (if he uses NT), or 'renice' it (with Unix) to free up a few kbps.
Is this just a fact of life that everyday people try to access?
'Fraid so There really can't be that many script-kiddies out there!
Bill Moseley mailto:moseley@hank.org
-- Regards Don Hansford ECKYTECH COMPUTING Surfing the Net (without crashing) With SuSE 6.4 Linux (Thanx Linus!) "Microsoft democratised the computer market and served as a catalyst in making computers available to everybody. Later, however, they did as many revolutionaries do -- they became dictators. History has taught us the inevitable fate of dictators." -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Don Hansford tapped away at the keyboard with:
Bill Moseley wrote:
Anyone know what people are trying when they try to connect to port 137?
I may be wrong (wouldn't be the first time) but quite a lot of these so-called "probes" that firewalls report, are simply your ISP doing a form of 'ping' to see if your network (or dialup) connection is still active. In this day & age of bandwidth shortages, it is in the ISPs' interest to kil your connection (if he uses NT), or 'renice' it (with Unix) to free up a few kbps.
I would think it rather silly of an ISP to do that because the LQM is there to do that anyway. They have no business doing that on "my" firewalls anyway; they are 24x7 connects. If in doubt; report to the source ISP. [Just had another (ab)user's connection pulled.] And yes; I can confirm an attack attempt as follows: (destination address concealed!) May 26 03:19:20 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=51198 F=0x0000 T=110 (#76) May 26 03:19:21 rocky kernel: Packet log: input DENY ppp0 PROTO=17 169.254.84.219:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=52478 F=0x0000 T=110 (#76) May 26 03:19:21 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=52734 F=0x0000 T=110 (#76) May 26 03:19:23 rocky kernel: Packet log: input DENY ppp0 PROTO=17 169.254.84.219:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=54270 F=0x0000 T=110 (#76) May 26 03:19:23 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=54526 F=0x0000 T=110 (#76) Note the use of two addresses from different sources at the same time. And the connection source port! I cannot get consistent traceroutes on those source addresses at the moment - the 206.230.103.21 disappears at apx-1.portsmouth.zoomnet.net (206.230.102.17) No success at all with 169.254.84.21 which seems to wind up looping at 203.166.7.141. -- Bernd Felsche - Innovative Reckoning Perth, Western Australia -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
bernie@innovative.iinet.net.au wrote: I have never been worthy enough (or rich enough) to rate a 24/7 connection. :-) I live in hope, but!!!
They have no business doing that on "my" firewalls anyway; they are 24x7 connects.
If in doubt; report to the source ISP.
That's always a good idea, the other one is to report to your own ISP. He then adds weight to your complaint b threatening to axe their clients from his service (handy if you need some 'muscle').
[Just had another (ab)user's connection pulled.]
And yes; I can confirm an attack attempt as follows: (destination address concealed!)
May 26 03:19:20 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=51198 F=0x0000 T=110 (#76) May 26 03:19:21 rocky kernel: Packet log: input DENY ppp0 PROTO=17 169.254.84.219:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=52478 F=0x0000 T=110 (#76) May 26 03:19:21 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=52734 F=0x0000 T=110 (#76) May 26 03:19:23 rocky kernel: Packet log: input DENY ppp0 PROTO=17 169.254.84.219:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=54270 F=0x0000 T=110 (#76) May 26 03:19:23 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=54526 F=0x0000 T=110 (#76)
Note the use of two addresses from different sources at the same time. And the connection source port!
Sounds like someone with their own DNS server, or working through a server in a large institution (college/ TAFE etc).
I cannot get consistent traceroutes on those source addresses at the moment - the 206.230.103.21 disappears at apx-1.portsmouth.zoomnet.net (206.230.102.17)
No success at all with 169.254.84.21 which seems to wind up looping at 203.166.7.141.
-- Bernd Felsche - Innovative Reckoning Perth, Western Australia
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- Regards Don Hansford ECKYTECH COMPUTING Surfing the Net (without crashing) With SuSE 6.4 Linux (Thanx Linus!) "Microsoft democratised the computer market and served as a catalyst in making computers available to everybody. Later, however, they did as many revolutionaries do -- they became dictators. History has taught us the inevitable fate of dictators." -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Fri, 26 May 2000, Don Hansford wrote:
Bill Moseley wrote:
Anyone know what people are trying when they try to connect to port 137?
I may be wrong (wouldn't be the first time) but quite a lot of these so-called "probes" that firewalls report, are simply your ISP doing a form of 'ping' to see if your network (or dialup) connection is still active. In this day & age of bandwidth shortages, it is in the ISPs' interest to kil your connection (if he uses NT), or 'renice' it (with Unix) to free up a few kbps.
Most of the complaints will come from people with either a DSL or a cable modem. Now some ISPs do scan those [When @Home was facing it's UDP it was supposedly scanning users] but most of the attacks will hit well known ports. Ports with well known weakness.
'Fraid so There really can't be that many script-kiddies out there!
I've been probed by literally every major European country. [Including Russia and Turkey] Most of North America, Austrialia,Japan and Korea. There are enough people out thier scanning for various reasons so that most days I'll see something. It's sad but better safe then sorry. Most people either have an old out date computer lying around or can get one fairly cheap. They aren't much use for modern windows users but make great firewall machines. Recycle turn old computers into firewalls-) Nick -- Nick Zentena "The Linux issue," Wladawsky-Berger explained, "is whether this is a fundamentally disruptive technology, like the microprocessor and the Internet? We're betting that it is." -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Fri, 26 May 2000, Nick Zentena wrote:
Most people either have an old out date computer lying around or can get one fairly cheap. They aren't much use for modern windows users but make great firewall machines. Recycle: turn old computers into firewalls-)
Yep. My sister, who somehow has more computers than I do in spite of the fact that she's a student and her boyfriend's a carpet-layer, gave me a 486sx/25 box as payment for computer support (and also to avoid having to haul it to the trash). Makes a fine firewall on my modem line. I'm thinking on starting to set up a 486/66 on a PCI motherboard as a second firewall, so I'll have it ready (with two network cards) when I get a DSL or cable modem. (Irrelevant note: the total theoretical bandwidth of the processor bus to memory on these old machines is approximately 1 gigabit per second. Some companies are installing networks with the same theoretical bandwidth to the desktop.) -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (6)
-
a.j.benie@qmw.ac.uk -
bernie@innovative.iinet.net.au -
donh@halenet.com.au -
moseley@hank.org -
warrl@blarg.net -
zentena@hophead.dyndns.org