Mailinglist Archive: opensuse (4343 mails)

< Previous Next >
Re: [SLE] iptables
  • From: Rikard Johnels <rjhn@xxxxxxxx>
  • Date: Sat, 2 Nov 2002 17:44:34 +0100
  • Message-id: <200211021744.34685.rjhn@xxxxxxxx>
On Saturday 02 November 2002 18.23, jaakko tamminen wrote:
> Hi
>
> > 213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe?
> > /c+dir HTTP/1.0" 404 270
>
> Someone is trying to see if they can creep in thru Your web-server...
>
> > And so forth...
> > Is there a way to block them automagically, or do i have to do it "by
> > hand"?
>
> From http://freshmeat.net You could find some clever scripts that can do
> it.
>
> > Also: I nmap my gateway:
> > server:~ # nmap -sT 213.66.182.24
>
> Did You do it from "outside" or from the gateway/LAN.. the result is
> different.
>
> > Starting nmap V. 2.53 by fyodor@xxxxxxxxxxxx ( www.insecure.org/nmap/ )
> > Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq):
> > (The 1515 ports scanned but not shown below are in state: closed)
> > Port State Service
> > 21/tcp open ftp
> > 22/tcp open ssh
> > 80/tcp open http
> > 111/tcp open sunrpc
> > 139/tcp open netbios-ssn
> > 631/tcp open unknown
> > 1009/tcp open unknown
> > 1025/tcp open listen
> >
> > Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
> >
> > I run iptables and try to block 111,139,631,1009 and 1025
> > iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP
> > but it is still open if i check again. Why?
>
> Have a look in /etc/inetd.conf, some of the services might be there, and
> comes before the firewall in incoming queue.
>
> Jaska.


That someone is trying is obvious :)
The thing is i hav TWO attempts of the exact same type in less then 1 hr.
[02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100]
One address in Germany and one in Sweden.
Go figure...

I scanned from the "inside", that is from the server itself.
I have no way of scanning from the outside at this point.. :(
The inet.conf is "clean". (ie. Nothing enabled)
So how can i check "myself"?

--

/Rikard

------------------------------------------------------------------------------------
Rikard Johnels email : rjhn@xxxxxxxx
Web : http://www.rikjoh.com
Mob : +46 70 464 99 39

------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >

< Previous Next >