On Saturday 02 November 2002 18.23, jaakko tamminen wrote:
Hi
213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270
Someone is trying to see if they can creep in thru Your web-server...
And so forth... Is there a way to block them automagically, or do i have to do it "by hand"?
From http://freshmeat.net You could find some clever scripts that can do it.
Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24
Did You do it from "outside" or from the gateway/LAN.. the result is different.
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?
Have a look in /etc/inetd.conf, some of the services might be there, and comes before the firewall in incoming queue.
Jaska.
That someone is trying is obvious :) The thing is i hav TWO attempts of the exact same type in less then 1 hr. [02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100] One address in Germany and one in Sweden. Go figure... I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >