[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Security : Port scanning

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Security : Port scanning
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Wed, 07 May 2003 17:07:52 +0100
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

I'm feeling rather schiziod replying to this, but here goes nothing... :)

And Lo! The Great Prophet "Chris Johnson" uttered these words of wisdom:
>
> <important bit>
> My new firewall went 'live' last night about 5pm and today when I checked
> the logs I've got about a dozen cases of port scanning from various sources.
> <question>
> Is all port scanning malicious?

Not all of it. Who are you with? Blueyonder for instance do a lot of port 
scanning on a continual basis. They also, if they find an open mail server 
on port 25, test it for relaying (including checking for the percent hack 
and also (it's been reported) UUCP bang paths)...which can be an annoyance
when you're the postmaster as you spend time filtering out bounces.

>
> What should be done if its found?
>

I do nothing. Unless there's a flood in a short space of time that isn't 
from scanner.abuse.blueyonder.co.uk, I ignore them. If I dealt with each 
one I'd spend more time sending email to abuse [at] some.isp.com than actually 
using the internet for anything vaugely useful.

Floods however will get my attention, and what I do about it depends on 
what mood I'm in, how long they go on for, where they're from and how much 
inconvenience it causes me. Fortuantly I've never had a flood :)

> Should I mail a report to the
> administrator detailed on the "whois" lookup page? 

The whois may not help if you're just looking up the IP -- if it's a
virtual ISP who lease modems from another company, all it could tell you is
who owns the modems. You need to do a reverse DNS lookup first, and do a 
whois against the domain. Any decent ISP will have an "abuse" mailbox set 
up for you to then email.

If a DNS check doesn't get anywhere, and the whois on the IP just returns 
the carrier's details, then email them. They'll usually have a dim view on 
their bandwidth being used by a single customer of one of their clients ... 
and usually they'll have more clout ("do this or we'll sever your upstream" 
sort of thing).

First port of call with the ISP though...

Chris...(the other one)...

-- 
\ Chris Johnson           \ NP: Tom Lehrer - 01. That Was The Year That Was 
 \ cej [at] nightwolf.org.uk    ~-----,  - National Brotherhood Week 
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------, 
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____



___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

Follow-Ups:
- RE: [Sheflug] Security : Port scanning
  - From: Chris Johnson

References:
- [Sheflug] Security : Port scanning
  - From: Chris Johnson

Prev by Date: RE: [Sheflug] Security : Port scanning
Next by Date: [Sheflug] Printing to a network printer
Previous by thread: Re: [Sheflug] Security : Port scanning
Next by thread: RE: [Sheflug] Security : Port scanning
Index(es):
- Date
- Thread