I have the scanlogd package installed on my linux box. It has repeatedly logged scanning from 209.144.167.150:20 when I am downloading updates and KDE 1.2 packages from ftp.suse.com. My box sits behind a Cisco 675 that is doing NAT. The box being scanned is on the 10.0.0.0 network. It seems because I have an established connection with ftp.suse.com, my box can be scanned, even though the box is on a non-routable address space. I am not an expert and am wondering if the scanning is really coming from ftp.suse.com or am I being lead to that conclusion by the person scanning. The fact that I have wiped out my original install, as well as all the other nodes in my small network, changed network node numbers, was scanned again only after logging on to ftp.suse.com, and the fact that the only node scanned on my small home network was the only one connected to ftp.suse.com, makes me believe that the scanning is started when I connect to ftp.suse.com. Any help would be appreciated. Thank you Russell
I have the scanlogd package installed on my linux box. It has repeatedly logged scanning from 209.144.167.150:20 when I am downloading updates and KDE 1.2 packages from ftp.suse.com. [...] You might have not been scanned at all. If you open a ftp-Update-Session via YaST, it opens very much ftp-Sessions to the ftp-Server for getting Description- and index-files. Due to the ftp-Protocol, every ftp-connection initiates a data-Session on a High Portnumber. Now your scanlogd just sees
Russell Evans wrote: that there are suddenly many connections from ftp.suse.com coming in to your machine. Due to being too secure (which is good), it warns you that the remote system might scan you. scanlogd does not check, if there is a real person sitting at it's machine utilizing ftp. It just does it's job and warns you that there are many connections with a short time-difference coming in from another host. So, whenever you initiate a ftp-Session, and get "scanlogged" by the remote host in that moment, it is very unlikely a scan, but rather just the normal ftp-Data-Streams that carry the files you want... cya, Stefan Salzer -- Qualität ist nicht was man verspricht, sondern was man hält! ======================================================================== = Wollen Sie unseren kostenlosen Newsletter "cinNews" beziehen? = = unter http://news.cin.de können Sie ihn abonnieren! = = -------------------------------------------------------------------- = = Stefan Salzer e-Mail: salt@cin.de = = Connect Internetworking Telefon: +49 6106 8498 0 = = Hauptstr. 139 Telefax: +49 6106 8498 299 = = 63110 Rodgau WWW: http://www.cin.de = = Germany = ========================================================================
participants (2)
-
Russell Evans
-
Stefan Salzer