[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Security : Port scanning
I'm feeling rather schiziod replying to this, but here goes nothing... :)
And Lo! The Great Prophet "Chris Johnson" uttered these words of wisdom:
>
> <important bit>
> My new firewall went 'live' last night about 5pm and today when I checked
> the logs I've got about a dozen cases of port scanning from various sources.
> <question>
> Is all port scanning malicious?
Not all of it. Who are you with? Blueyonder for instance do a lot of port
scanning on a continual basis. They also, if they find an open mail server
on port 25, test it for relaying (including checking for the percent hack
and also (it's been reported) UUCP bang paths)...which can be an annoyance
when you're the postmaster as you spend time filtering out bounces.
>
> What should be done if its found?
>
I do nothing. Unless there's a flood in a short space of time that isn't
from scanner.abuse.blueyonder.co.uk, I ignore them. If I dealt with each
one I'd spend more time sending email to abuse [at] some.isp.com than actually
using the internet for anything vaugely useful.
Floods however will get my attention, and what I do about it depends on
what mood I'm in, how long they go on for, where they're from and how much
inconvenience it causes me. Fortuantly I've never had a flood :)
> Should I mail a report to the
> administrator detailed on the "whois" lookup page?
The whois may not help if you're just looking up the IP -- if it's a
virtual ISP who lease modems from another company, all it could tell you is
who owns the modems. You need to do a reverse DNS lookup first, and do a
whois against the domain. Any decent ISP will have an "abuse" mailbox set
up for you to then email.
If a DNS check doesn't get anywhere, and the whois on the IP just returns
the carrier's details, then email them. They'll usually have a dim view on
their bandwidth being used by a single customer of one of their clients ...
and usually they'll have more clout ("do this or we'll sever your upstream"
sort of thing).
First port of call with the ISP though...
Chris...(the other one)...
--
\ Chris Johnson \ NP: Tom Lehrer - 01. That Was The Year That Was
\ cej [at] nightwolf.org.uk ~-----, - National Brotherhood Week
\ http://cej.nightwolf.org.uk/ ~-----------------------------------,
\ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____
___________________________________________________________________
Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html
GNU the choice of a complete generation.