Yes, When I got the first email I thought perhaps it was spoofed since UDP traffic has no "handshake". But I have since patched together that it is only sonicwall firewalls that generate these alerts. I am just checking that there is not something misconfigured on my NTP server. These are the log messeges that get sent to me
SonicWALL 0040-1017-8E1F Log (part 2) dumped to email at 2005-09-06 12:33:51 09/06/2005 10:25:51.512 - Probable Port Scan Dropped - Source:IP_OF_MY_SERVER, 123, WAN - Destination:IP_OF_REMOTE_CLIENT, 60930, WAN - UDP scanned port list, 60887, 61203, 61216, 61273, 61001, 61131, 61334, 61043, 61446, 61288 - 09/06/2005 10:26:54.512 - Possible Port Scan Dropped - Source:IP_OF_MY_SERVER, 123, WAN - Destination:IP_OF_REMOTE_CLIENT, 61446, WAN - UDP scanned port list, 61131, 61334, 61288, 61043, 60930 - 09/06/2005 10:27:01.496 - Probable Port Scan Dropped - Source:IP_OF_MY_SERVER, 123, WAN - Destination:IP_OF_REMOTE_CLIENT, 60887, WAN - UDP scanned port list, 61131, 61334, 61288, 61043, 60930, 61446, 60947, 61360, 61650, 61216 - 09/06/2005 10:27:59.496 - Possible Port Scan Dropped - Source:IP_OF_MY_SERVER, 123, WAN - Destination:IP_OF_REMOTE_CLIENT, 61446, WAN - UDP scanned port list, 61667, 61131, 61334, 61288, 61043 - 09/06/2005 10:28:05.496 - Probable Port Scan Dropped - Source:IP_OF_MY_SERVER, 123, WAN - Destination:IP_OF_REMOTE_CLIENT, 61216, WAN - UDP scanned port list, 61667, 61131, 61334, 61288, 61043, 61446, 60947, 60930, 61360, 61650 - Since the source is 123 and every time they have verified they use pool.ntp.org I assume it is some type of NTP issue on the client or poor firewall code(more likely). I have asked the latest guy who emailed me what he has for OS/NTP software. Thanks, Will -----Original Message----- From: Paul-Andrew Joseph Miseiko [mailto:[EMAIL PROTECTED] Sent: Monday, September 05, 2005 10:32 PM To: william carlson Cc: [email protected] Subject: Re: [time] Port scans being detected. I'm confused... are you saying someone is using your NTP server to acquire time and some pathetic firewall software is claiming your RESPONE to their REQUEST for time is a port scan? -- .-------------------------------------. ( Biggest security gap -- an open mouth ) `-------------------------------------' -- Paul-Andrew Joseph Miseiko On Mon, 5 Sep 2005, william carlson wrote: > Hello group, > I have received a few emails about users complaining my NTP server is > port scanning there ip. Seems to be once I talk to them they are using > pool.ntp.org and they have a sonicwall firewall. Have others seen this > and is there anything I can set on my server to make these not happen. > I usually only see an email about this once a month or so. Not a large > problem but a pain none the less. > Thanks, > Will > _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
