Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] Portsentry and logcheck
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Tue, 18 Jul 2000 20:56:31 +0200
  • Message-id: <20000718205631.G24476@xxxxxxxxxxxxx>
On Tue, Jul 18, 2000 at 10:33 +0200, Rupert Kittinger wrote:
>
> [ ... being "port scanned" when doing massive ftp ... ]
>
> Anyway, I do not think that those probes are all false alarms.
> I informed the various responsible admistrators, and there was
> one case where the offending host was found to have been
> compromised.

I only had it once these days, that visiting www.avp2000.com (an
antivirus company) will make you repeatedly contacted for SMB
services (137/tcp). They don't support mail addresses abuse nor
postmaster nor administrator. It seems to fit that they host an
NT server for HTTP although they should know better about the
platform's vulnerability. But that's completely a different
story.

FTP is a somewhat strange protocol. You initially open up a
"command channel" and for every transfer (get, put, ls(!)) a new
connection parallel to the former gets established. That's when
a sequence of cd and ls (as some clients do automatically) can
look like a few quick connection attempts from the same source.
Some portscan detectors jump in on this(id?).

Detecting portscans is a twofolded(id?) matter in any way. If
you set the trigger level too low any normal working sequence
looks like an attempt to attack or examine you. But there's
still no cure against so called slow scans. And even if _you_
are "visited" less frequently scanning a wide address range this
way still can be quite efficient (instead of scanning locally
restricted ranges in a quick manner).

Regarding the fact that scanning is nothing you can avoid and
with a decent filter setup is even something you needn't really
be concerned about you might as well disable your scanning
detector and have your filter log unsuccessful contact tries or
suspicious packets to a file you can get back to for later
reference in case you suspect to be attacked. It depends on the
volume of these log entries whether you have them "prepared" for
your reading or whether you're reading them "live" for making up
your own opinion (see logcheck and friends for this). And carry
out the usual steps UNIX offers you to protect yourself against
abuse and resource starvation (limit rusage parameters, limit
connection rates, etc).


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >