Hi Gurus ;P I see it in a pretty relaxing way when i get log entries from a ip 0.0.0.0 or a scan from someone. I never tried to scan back or something, whats the point?! ( Portsentry is actually banning about one ip a every 2nd day) Do u usually just irgnore them? Write a mail to your ISP ? How do i know if a boy was pressing a few buttons or if someone seriusly tried to gain access? Where is the line between script kiddy and attacker? I would like to hear your opinion about this! Spiekey
We've found that if the scan comes from a large ISP (AOL, T-Online, Wanadoo, etc etc) reporting the scan tends to be ignored, so we log them for our reference. However, if the scan has come from a non-profit organisation (.org[.xx]), a university (.edu, .ac.uk) or from a private company's IP that's either not an ISP, or a small one, we report them. Of course some of them are still ignored, or acted upon without you knowing, but some of them keep you in the loop.
Do u usually just irgnore them? Write a mail to your ISP ? How do i know if a boy was pressing a few buttons or if someone seriusly tried to gain access? I would like to hear your opinion about this! -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Using Free Software since 1994, running GNU/Linux (SuSE 7.x) This email was created and sent with Ximian Evolution 1.0 NEW: Advogato diary at www.advogato.org/person/riggwelter
*********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
Yuppa, On 16-Dec-01 spiekey wrote:
Hi Gurus ;P
I see it in a pretty relaxing way when i get log entries from a ip 0.0.0.0 or a scan from someone. I never tried to scan back or something, whats the point?! ( Portsentry is actually banning about one ip a every 2nd day)
Do u usually just irgnore them? Write a mail to your ISP ? How do i know if a boy was pressing a few buttons or if someone seriusly tried to gain access?
Unless you have an old WinNT installation (which will prolly crash if being heavily scanned), the technical consequences of scans are minimal, except for some log entries and other minor disturbances. A scan for itself therefore does not necessarily represent an attack, although most (serious) attacks include more or less sophisticated scans. Very roughly, most scans fall into one of these categories: - Someone has read details about certain exploitable security holes and scans the net for promising targets - An attacker wants to abuse improperly installed services like Wingate, Squid or Sendmail (e.g. for anonymous surfing, spamming, etc.) - Pure curiousity ("I don't know what a scanner really does, but it works and it's fun!") - A system is infected with active Trojans (Code Red, Nimda, Sircam, Magistr.b...) which "phone home" and try to infect other machines by scanning their respective subnets
Where is the line between script kiddy and attacker?
This is were intrusion detection comes into play. Portsentry, which is some sort of crude IDS system, too, provides basic anti-scanning facilities and also is able to drop offending routes, but it does not help in determining the real source, nature, and the target of the scan and other activities connected with it. For instance, if an attacker scans/probes your host and finds a vulnerable FTP server, he/she may decide to attack this service, which would create totally different attack signatures than scans; portsentry would not be helpful here, and without a proper IDS system, you would prolly never notice that something's going on until the box is rooted. With IDS systems like Snort you would be able to see other activities of suspicious IPs; you'd see portscans, probes, exploit signatures, etc. This would provide a better picture of attacks and much better basis for further investigations. As a rule of thumb, I would report attacks (e. g. a preliminary scan, version probes of certain services and exploit attempts, all from the same IP), but not simple scan sweeps for common holes or installed Trojans (NetBus comes into mind). Of course it's useless to report scans for services you do not offer, too. Remember, if you report too frequently, you may suffer from the "cry Wolf" syndrome; your ISP may be annoyed by your constant "false alarms" and may react sloppily if something really serious happens.
Spiekey
Boris Lorenz
participants (3)
-
Boris Lorenz
-
James Ogley
-
spiekey