Netbios is evil...
It's the #1 most hacked port.
It does smb filesharing and stuff like that. However, #137 is the
nameservice, so most likely these boxes are just trying to figure out your
"windows name". If it's followed up immediately by a hit on port 139 or
139, then you've got a problem. I just block out #137-9 at the firewall
and on the box itself.
Rob Hudson wrote:
> Hi EUGLUGers,
>
> I recently turned on login logging on the EUGLUG server (FreeBSD).
> It's a kernel switch called 'log_in_vain'. I'm seeing a lot of the
> following:
>
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to TCP 207.189.137.44:113 from 216.116.33.121:3818
> > Connection attempt to UDP 207.189.137.44:137 from 207.137.197.33:137
> > Connection attempt to UDP 207.189.137.44:137 from 207.137.197.33:137
>
> Here is what is in the /etc/services file for these two ports on that
> box:
>
> auth 113/tcp ident tap #Authentication Service
> auth 113/udp ident tap #Authentication Service
> netbios-ns 137/tcp #NETBIOS Name Service
> netbios-ns 137/udp #NETBIOS Name Service
>
> Authentication kind-of speaks for itself, but what is NetBIOS?
>
> Thanks,
> Rob
--
Organizing Linux users is like herding cats,
only harder.
