137 is Windows name service... When I used to log 137 attempts om my
firewall, they came in an endless torrent. Most are mistakes, some are
viruses that look for that port to spread to Win95 boxes via the internet if
they have filesharing on without a password over TCP/IP. Some are people
looking to exploit. These happen mostly on DSL and cable networks where
people have their windows machines on all the time with a high speed
connection and fixed IP. Easy to find at least 1 in 100 that can be
exploited, or so I am told... Blocking 137, 138, and 139 is a great idea
for any FW. IPF will allow a reply that says the service is unavailable
instead of just dropping it in /dev/null, ipfw may have something simular...
Tim
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Rob Hudson
> Sent: Tuesday, January 02, 2001 9:26 AM
> To: EUGLUG
> Subject: [EUG-LUG:180] security logging
>
>
> Hi EUGLUGers,
>
> I recently turned on login logging on the EUGLUG server (FreeBSD).
> It's a kernel switch called 'log_in_vain'. I'm seeing a lot of the
> following:
>
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to TCP 207.189.137.44:113 from
> 216.116.33.121:3818
> > Connection attempt to UDP 207.189.137.44:137 from 207.137.197.33:137
> > Connection attempt to UDP 207.189.137.44:137 from 207.137.197.33:137
>
> Here is what is in the /etc/services file for these two ports on that
> box:
>
> auth 113/tcp ident tap #Authentication Service
> auth 113/udp ident tap #Authentication Service
> netbios-ns 137/tcp #NETBIOS Name Service
> netbios-ns 137/udp #NETBIOS Name Service
>
> Authentication kind-of speaks for itself, but what is NetBIOS?
>
> Thanks,
> Rob
>
>
