> tack> welcome to my world. the ports I see most often are 80 > > Hi. I've been getting a lot attempts to connect to 80 too, from lots > of machines. Naive young fool that I am, I assumed these were > innocent. Why someone would think I am running a web server and would > be interested to browse my pages, I can't say. I assumed they were > innocent because they did not attempt to connect to any other ports. > > Do you think it's a good idea to assume these are malicious and add > the IP's to my iptables bastard list that denies all access now and > forever?
nimda, code red have increased the number of port 80 probes. Port 80 is also standard fare for script kiddies trying to exploit IIS. ISP's also probe 80 to see if you're violating their "no servers" clause in the service agreement. As for restricting, remember that dynamic IP's are common. If you have public services, then restricting by IP could deny access to legit users when the attackers IP changes. You need to strike a balance between access controls and availability. > On a side note, I found out you could get the domain name with the > 'host' command. The 'distributed scans' I referred to earlier were > coming from a bunch of machines: > > esupport-sd10.websys.aol.com > esupport-sd11.websys.aol.comq > esupport-sd14.websys.aol.com remember thta all internet traffic from AOL comes from their pharm. Good way to launder IP's I guess. > Anyone know if websys is this AOL's cable modem service? The other > handy tool to find out an IP is traceroute, which will give you all > the machines on the way to the destination. Thanks, *Hacking Linux > Exposed*. tracepath is also nifty. It uses UDP and is faster. tack
