On Tue, Jul 18, 2000 at 10:33 +0200, Rupert Kittinger wrote:
[ ... being "port scanned" when doing massive ftp ... ]
Anyway, I do not think that those probes are all false alarms. I informed the various responsible admistrators, and there was one case where the offending host was found to have been compromised.
I only had it once these days, that visiting www.avp2000.com (an antivirus company) will make you repeatedly contacted for SMB services (137/tcp). They don't support mail addresses abuse nor postmaster nor administrator. It seems to fit that they host an NT server for HTTP although they should know better about the platform's vulnerability. But that's completely a different story. FTP is a somewhat strange protocol. You initially open up a "command channel" and for every transfer (get, put, ls(!)) a new connection parallel to the former gets established. That's when a sequence of cd and ls (as some clients do automatically) can look like a few quick connection attempts from the same source. Some portscan detectors jump in on this(id?). Detecting portscans is a twofolded(id?) matter in any way. If you set the trigger level too low any normal working sequence looks like an attempt to attack or examine you. But there's still no cure against so called slow scans. And even if _you_ are "visited" less frequently scanning a wide address range this way still can be quite efficient (instead of scanning locally restricted ranges in a quick manner). Regarding the fact that scanning is nothing you can avoid and with a decent filter setup is even something you needn't really be concerned about you might as well disable your scanning detector and have your filter log unsuccessful contact tries or suspicious packets to a file you can get back to for later reference in case you suspect to be attacked. It depends on the volume of these log entries whether you have them "prepared" for your reading or whether you're reading them "live" for making up your own opinion (see logcheck and friends for this). And carry out the usual steps UNIX offers you to protect yourself against abuse and resource starvation (limit rusage parameters, limit connection rates, etc). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.