Hello! I am using logcheck and portsentry. I read that port 445 is something from smb and not really a reason to worry about, but well, its a external ip which wanted to "do" something. Something to worry about? Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Dec 3 01:43:47 suse portsentry[5576]: attackalert: TCP SYN/Normal scan from host: pD951A6F2.dip.t-dialin.net/217.81.166.242 to TCP port: 445 Dec 3 01:43:47 suse portsentry[5576]: attackalert: Host 217.81.166.242 has been blocked via wrappers with string: "ALL: 217.81.166.242" Thanks! Spiekey
Hi Spiekey, Port 445 is owned by a file sharing service on Win2k hosts. Earlier this year there was a guy using this port and weak passwords on some MS peripheral servers to gain access to the whole MS network: http://www.newsbytes.com/news/01/169408.html Furthermore some samba servers, especially samba-tng, use the 445 to provide a PDC-similar service for Win2k/NT hosts. So if you're not running a samba server on your firewall - btw: you should never do so! - and therefore port 445 is closed on your system, you don't have to worry about. Hope that helped. Cheers, Ralf
Hello!
I am using logcheck and portsentry. I read that port 445 is something from smb and not really a reason to worry about, but well, its a external ip which wanted to "do" something. Something to worry about?
Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Dec 3 01:43:47 suse portsentry[5576]: attackalert: TCP SYN/Normal scan from host: pD951A6F2.dip.t-dialin.net/217.81.166.242 to TCP port: 445 Dec 3 01:43:47 suse portsentry[5576]: attackalert: Host 217.81.166.242 has been blocked via wrappers with string: "ALL: 217.81.166.242"
Thanks! Spiekey
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, I had portscans from pD9E10B41.dip.t-dialin.net which I reported to abuse@t-online.de. They answered within 24 hours and wrote: "The user will be detected and we'll give him a warning." I am not using portsentry but iplog, the portscan was very obvious followed by an (unsuccessful) anon FTP connection attempt. Typical script kiddy I guess. To answer your question: check all your other logs for connection attempts to all servers/daemons you run (just grep for the IP). That should give you an idea what else happend. Erwin spiekey wrote:
Hello!
I am using logcheck and portsentry. I read that port 445 is something from smb and not really a reason to worry about, but well, its a external ip which wanted to "do" something. Something to worry about?
Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Dec 3 01:43:47 suse portsentry[5576]: attackalert: TCP SYN/Normal scan from host: pD951A6F2.dip.t-dialin.net/217.81.166.242 to TCP port: 445 Dec 3 01:43:47 suse portsentry[5576]: attackalert: Host 217.81.166.242 has been blocked via wrappers with string: "ALL: 217.81.166.242"
Thanks! Spiekey
-- Erwin Zierler | web- / host- / postmaster - stubainet.at | erwin.zierler@stubainet.at / webmaster@stubainet.at | Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
participants (3)
-
Erwin Zierler - stubainet.at -
Ralf Koch -
spiekey