search for: portscan

...as firewall and router for a small ''internet cafe / netcafe'' and am using CentOS... So here it is: What are the best tools to be used for keeping the potential script kiddies from ''harming the Internet'' :) ? I specifically want to be able to detect and prevent portscans from LAN to Internet, and any other malware activity the clients might think of. I am particularily interested in ''the CentOS way''. For example I know there is psd module in patch-o-matic for iptables to be able to do the portscan detection in firewall... but, that doesen'...

Anything to do about portscans? Is there any way (should I) to see if the connection is a legit (only SIP currently) connection BEFORE my * answers? [2007-10-17 19:23:46] WARNING[4191]: chan_sip.c:6624 determine_firstline_parts: Bad request protocol 01@<ASTERISK_IP> SIP/2.0 -- Executing [s at default:1] Answer(&quot...

Hello, i use shorewall for a very long time (2 years or so) and i use it for nat and as firewall....i now use portsentrys to detect portscans but there is one problem...i use the HOWTO from the shorewall mailing list to make portsentry and shorewall work together....but there is one prob portscans get detected and a drop rule is added to shorewall for example shorewall drop 62.178.xxx.xx the shorewall entry 6 252 DROP...

...r Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this optio...

--nextPart2699335.H7BBWTdPIb Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hello :) After upgrading recently from Woody to Sarge (which went fairly well) I now= =20 have trouble with logcheck. I have been unable to track down a solution. Logcheck runs perfectly through the week until Sunday when logrotate does

Heya.. Yesterday someone "attacked" by box by connection to several ports.. In other words, a simple portscan.. yet, since my box has "log_in_vain" enabled, so it tries to log everything to /var/log/messages, since the logfile got full and the size went over 100K, it tried to rotate the log to save diskspace. (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to size>100K) My...

xen-3.0.3-94.el5_4.2 2.6.18-164.6.1.el5xen RHEL5.4 x86_64 I''ve got a dom0 that does nothing but have a DomU created. The DomU gets plenty of load. Over time, the dom0''s ipconntrack table fills up but not the DomU. Once it gets full I can restart iptables and it''s fine. The strange thing is this only happens on hosts I have provided (hardware and hosting) from one

------- BEGIN FORWARDED MESSAGE ------- From: g.pardon@pi.be To: teastep@shorewall.net Cc: Subject: Re: [Shorewall-users] Open ports How am I testing this? I''m doing a portscan using a portscanner like GFI Languard, Superscanner and nmap to check. Those two TCP-ports always showed up. Although, I think there are other to test it. I read the FAQ and the phenomenon (where is that Dutch-English dictionary when you need it) is explained by the nature of UDP ports and the DRO...

Hello, I've got samba running on a FreeBSD box that has two interfaces, ep0 which is an external interface, and ep1 which is for internal use only. I only want samba to listen on ep1 so if i'm ever portscanned port 137/139 will not show up as open on the external interface. I've added these lines to the global section of my smb.conf file: hosts allow=192.168.0. interfaces=192.168.0.0/16 127.0.0.1 bind interfaces only=yes yet when i restart samba port 139 is still showing as open on my external int...

...tch port like the Windows boxes. The firewall has the same interface defined as the inside port and the outside port. But the YAST GUI for configuring Samba has a checkbox for opening all appropriate firewall ports, and I did that. I went back to check and it's still checked. For grins, I portscanned tolkien. TCP ports open are: 21, 22, 25, 110, 139, 445. UDP ports: None. I tried this: net use k: \\172.20.0.5\archive It works! Well, almost. It prompts for username and password, and username and pw I use to login at the linux box doesn't work. "root" with his password work...

...ently reject it so that connections don''t get delayed. # run_iptables -A common -p tcp --dport 113 -j DROP Using this file connection attempts to port 113/135 should be dropped. Checking the output op iptables -L common also tells me connection attemps should be dropped. However when I portscan the internal interface of our router/firewall nmap these ports are still listed as filtered. Is this correct?? Ad Koster lidad@zeelandnet.nl

...0 From: "Ben Cantrick (Macky Stingray)" <mackys@MACKY.RONIN.NET> To: BUGTRAQ@NETSPACE.ORG Subject: ADM Worm. Worm for Linux x86 found in wild. 1. Summary On the week of 3/7, a polite mail from a system administrator at a company in Russia tipped me off to one of our Redhat boxes portscanning one of their subnets. Subsequent investigation found that a worm had infected the offending box and was attempting to propagate itself. 2. Further info The worm seems to be a few binaries working together with some bourne shell scripts. The main file seems to be one called "admw0rm,&qu...

...ollowing (as reported with 'lpc'): FXColorWind: queuing is enabled printing is enabled 1 entry in spool area sending to 10.10.10.208 I also tried getting rid of ":rp=raw:" and trying ":rp=:" instead. Nothing happens. I did a portscan on the printer, and it only has ports 21 (FTP) and 515 (unknown) open -- the FTP server appears to be for updating firmware (my guess), and port 515 immediately drops the connection if you telnet to it. Therefore I have *no* idea how this printer is accepting data -- UDP? I've checked the lpd...

On Sat, 29 May 2004 12:00:52 -0700 (PDT), <freebsd-security-request@freebsd.org> wrote: Hello ! Today i see in snort logs : [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566 TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen:

Hi everyone, today I got an e-mail from a company claiming that my server is doing port scans on their firewall machine. I found that hard to believe so I started checking the box. The company rep told me that the scan was originating at port 80 with destination port 8254 on their machine. I couldn't find any hints as to why that computer was subject to the alleged port scans. Searching

...flags (ipfw) and my ftp-connections are not really stateful. I think that these behavior is also so by irc-chat. Now i wont to know, how must i do to become also an stateful behavior for these services, w/o to open the high-ports from the firewall, then at the last time i become over and over with portscans from outside, and i think this is an security reason. i don't realy want to open the high-ports on my box. give it an chance by using ipf and not ipfw?? i have read the documentations, and i have no hint found that solve this problem, my i have seen that in first time ipf is mutch more comp...

....pbone.net/mirror/ftp.falsehope.net/home/tengel/proftpd/CentOS4/ PortSentry is built using the last known (RedHat 9 based) SPEC/patches from FreshRPMS, updated to apply with the latest known version 1.2. I have noticed no problems in it's operation on a production server, it's detecting portscans and dropping IPs as expected. ProFTPd has a backport of a patch applied that makes it work with the default MySQL 'old_passwords=1' setting found in RHEL4/CentOS4 default installs (proftpd bug #2644). If you don't want ProFTPd MySQL support in CentOS4, simply rebuild the SRPM witho...

...alls? My Asterisk server is connected with an ethernet connection to my DMZ network. Could you give me some help and/or indication for docs regarding this issue? I suppose that AsteriskNOW (beta 6), after a custom SIP provider configuration, should open the 5060 TCP/UDP port. Instead making a portscan from tha client on which I'm trying SJphone client getting to work, I see these ports open: Open TCP Port: 21 Open TCP Port: 22 pcanywherestat Open TCP Port: 25 Open TCP Port: 80 Open TCP Port: 111 Open TCP Port: 443 Open TCP Port: 763 Open TCP Port: 1192 Open TCP...

I have the firewall turned on my CentOS 5 box, but GRC is reporting that 631 is closed instead of stealthed. If the firewall isn't configured to allow that, then why might that be happening? Miark

...Priority: P2 Component: unknown AssignedTo: laforge@netfilter.org ReportedBy: mike.ely@phoenix.k12.or.us CC: netfilter-buglog@lists.netfilter.org Just got the extras from patch-o-matic and compiled 1.2.8 and everything in. My personal desire was to send portscans to the tarpit as mentioned in the subject. When I use the psd match to - DROP, it works fine. When I pick a particular port and tarpit it, that works great, too. But when I combine the two, and do an nmap run against the machine, it returns all but twelve ports as open! Naturally, it's no...