"Port Scans are nothing to worry about"... to almost quote them
directly.
I have a static IP cable modem and the provider and ISP are one and the
same.
A couple months ago I queried this List re:Port Scanning in
/var/log/messages
Well to update. Its only getting more crowded.
Any of you sys admins and ISP types please give me feedback on these
excerpts from my logs. I am running the basic "firewall stuff" and Port
Sentry on RH, LM 6.1
Looking in /etc/services I can glean that some of the entries are not
serious at least at the moment.
Though the main 'udp 513' scan has been going on for MONTHS now at 24/7
!!!
Nov 3 22:18:06 home portsentry[873]: attackalert: Connect from host:
cable-225-14-237-24.anchorageak.net/24.237.14.225 to UDP port: 513
Nov 3 22:18:06 home portsentry[873]: attackalert: Host: 24.237.14.225
is already blocked. Ignoring
Nov 3 22:21:06 home portsentry[873]: attackalert: Connect from host:
cable-225-14-237-24.anchorageak.net/24.237.14.225 to UDP port: 513
Nov 3 22:21:06 home portsentry[873]: attackalert: Host: 24.237.14.225
is already blocked. Ignoring
Nov 3 22:21:34 home portsentry[873]: attackalert: Connect from host:
cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 7
Nov 3 22:21:34 home portsentry[873]: attackalert: External command run
for host: 24.237.14.15 using command: "24.237.14.51"
Nov 3 22:21:34 home portsentry[873]: attackalert: Host 24.237.14.15 has
been blocked via wrappers with string: "ALL: 24.237.14.15"
Nov 3 22:21:34 home portsentry[873]: attackalert: Host 24.237.14.15 has
been blocked via dropped route using command: "/sbin/route add -host
24.237.14.15 gw 333.444.555.666"
Nov 3 22:21:34 home portsentry[873]: adminalert: ERROR: could not
accept incoming socket for UDP port: 7
ov 3 22:22:13 home portsentry[873]: attackalert: Connect from host:
cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
Nov 3 22:22:13 home portsentry[873]: attackalert: Host: 24.237.14.15 is
already blocked. Ignoring
Nov 3 22:22:13 home portsentry[873]: attackalert: Connect from host:
cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
Nov 3 22:22:13 home portsentry[873]: attackalert: Host: 24.237.14.15 is
already blocked. Ignoring
Nov 3 22:24:06 home portsentry[873]: attackalert: Connect from host:
cable-225-14-237-24.anchorageak.net/24.237.14.225 to UDP port: 513
Nov 3 22:24:06 home portsentry[873]: attackalert: Host: 24.237.14.225
is already blocked. Ignoring
2 home portsentry[873]: attackalert: Connect from host:
cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 7
Nov 4 02:57:42 home portsentry[873]: attackalert: Host: 24.237.14.15 is
already blocked. Ignoring
Nov 4 02:58:05 home portsentry[873]: attackalert: Connect from host:
cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
Nov 4 02:58:05 home portsentry[873]: attackalert: Host: 24.237.14.15 is
already blocked. Ignoring
Nov 4 02:58:06 home portsentry[873]: attackalert: Connect from host:
cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
Nov 4 02:58:06 home portsentry[873]: attackalert: Host: 24.237.14.15 is
already blocked. Ignoring
The udp 161 has just cropped up the last couple of weeks on a regular
basis.
I also recently got a /var/log/secure message:
FROM /VAR/LOG/SECURE
Nov 4 03:26:09 home ipop3d[8471]: refused connect from
cable-15-14-237-24.ancho "etc"
Our state-wide cable provider has a reputation for shrugging its
shoulders and saying, "enjoy the speed and don't worry about anything
else."
I need some input which might also be used to substanciate my claim when
I meet with them next week that they are being "irresponsible" in the
field of ISP services.
Thanks for any input; this has been going on for months now. Emails both
pleasant and irritated to individuals with the company provided by the
local office has turned up one "auto responder" a month ago.
Am I just being a "paranoid naysayer" ?! (I've been called worse!)
Is it unreasonable to ask ones ISP to "please address continuous
portscaning by unknown individuals?"
If the reply's are too long for this List please contact me at my email
address.
Thanks
William Bouterse
Juneau, Alaska
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
