Thanks for the quick response Jeff. Yes, it is very much a sequential thing - I don't know what a scan would look like from the logs, but if I had to guess what it would look like, this would be it. Here is a very brief snippit -
Oct 11 06:56:02 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61694 209.251.232.18:135 L=44 S=0x00 I=12220 F=0x4000 T=107 SYN (#9) Oct 11 06:56:26 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=12476 F=0x4000 T=107 SYN (#9) Oct 11 06:56:29 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=12732 F=0x4000 T=107 SYN (#9) Oct 11 06:56:35 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=12988 F=0x4000 T=107 SYN (#9) Oct 11 06:56:47 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=13244 F=0x4000 T=107 SYN (#9) Oct 11 07:09:11 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17084 F=0x4000 T=107 SYN (#9) Oct 11 07:09:14 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17340 F=0x4000 T=107 SYN (#9) Oct 11 07:09:20 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17596 F=0x4000 T=107 SYN (#9) Oct 11 07:09:32 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17852 F=0x4000 T=107 SYN (#9) Oct 11 07:09:56 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18108 F=0x4000 T=107 SYN (#9) Oct 11 07:09:59 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18364 F=0x4000 T=107 SYN (#9) Oct 11 07:10:05 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18620 F=0x4000 T=107 SYN (#9) Oct 11 07:10:17 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18876 F=0x4000 T=107 SYN (#9) Oct 11 07:22:41 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 216.224.239.106:62082 209.251.232.18:135 L=44 S=0x00 I=22460 F=0x4000 T=107 SYN (#9) The rule appears to have stopped this dead. My logs can breath easier for awhile. Thanks again. Does anyone have any other procedures that they do when in this situation ? I certainly will save this rule in my personal LEAF documents folder if it happens again. Doug >>> Jeff Newmiller <[EMAIL PROTECTED]> 10/11/02 10:51AM >>> On Fri, 11 Oct 2002, Doug Hite wrote: > Hello all, > > I'm believe I'm currently being scanned on one of my > LEAF routers (this one is still an EigerStien I think), > all from a single ip. It of course is filling > up my logs, and eventually stops my dhcpd server. > The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl > from this packet > > Oct 10 20:48:57 isdnfirewall kernel: Packet log: remote DENY eth0 > PROTO=6 216.224.239.106:58047 209.251.232.19:135 L=44 S=0x00 > I=9912 F=0x4000 T=107 SYN (#9) > > gives this response > > You're very likely under attack here. This particular destination port is the Microsft RPC (DCOM) service port. On its own, even repeated, I wouldn't automatically conclude you are "under attack". Someone might have mistakenly put your ip address in someplace(typo), or you might be running software from inside your firewall that is prompting the server to try to get some more information from you (check netstat -Mlen for connections). (I don't think your ISP has your ip address correctly reverse dns mapped, so some servers might try alternate methods of reverse mapping.) If it is part of a sequence of destination ports, then you are more likely "under attack". > I used to have the syntax to completely block a single > ip, but I seem to have lost it, and my searches have > come up empty. Can someone give me the syntax to > block this offender ? I don't mind only plugging it in at > the command line - this router gets rebooted only > every 6 months or so - by that time, the person > may have lost interest. You need to insert a rule into the input chain for interface eth0 that denies (drops) all packets arriving from ip 216.224.239.106, without logging: ipchains -I input -j DENY -i eth0 -s 216.224.239.106 --------------------------------------------------------------------------- Jeff Newmiller The ..... ..... Go Live... DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/Batteries O.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
