Re: scanning my ports

To: John Lapeyre <lapeyre@physics.arizona.edu>
Cc: debian-devel@lists.debian.org, debian-mirror@lists.debian.org, finn@midco.net
Subject: Re: scanning my ports
From: Nathan E Norman <nnorman@midco.net>
Date: Sat, 25 Sep 1999 14:55:36 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.10.9909251443240.5962-100000@volta.midco.net>
In-reply-to: <19990924144821.B8751@homey.physics.arizona.edu>

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 24 Sep 1999, John Lapeyre wrote:

 :      Dear Security Staff:
 :        I received 2086 connection attempts at several ports on September 22.
 :      The attempts were made from  IP address  pavlov.midco.net [24.220.0.13]
 :      The machine whose ports were scanned is 128.196.189.45 .
 :      Please make sure that this port scanning does not happen again.
 :      
 : Here are the first and last connection attempts 
 : 
 : Sep 22 02:01:23 homey tcplogd: auth connection attempt from pavlov.midco.net [24.220.0.13]
 : Sep 22 21:20:18 homey tcplogd: port 24011 connection attempt from pavlov.midco.net [24.220.0.13]
 : 
 :     Thanks for your cooperation.

Mr. Lapeyre,

You do realise that pavlov.midco.net is part of the DNS rotation
http.us.debian.org?

  biff@chaos:~ $ host pavlov.midco.net
  pavlov.midco.net        A       24.220.0.13
                                  ^^^^^^^^^^^
  biff@chaos:~ $ host http.us.debian.org
  http.us.debian.org      A       206.187.92.15
  http.us.debian.org      A       207.69.194.216
  http.us.debian.org      A       209.249.97.234
  http.us.debian.org      A       141.213.4.21
  http.us.debian.org      A       24.220.0.13
                                  ^^^^^^^^^^^

I see no evidence in the logs that you are being port scanned - I feel
it's more likely that your use of the mirror here is at issue.  You may
of course disagree.

Nevertheless, I will shut down the mirror here and rebuild this machine
from scratch, implementing draconian and paranoid security measures.

If I receive further complaints of "abuse" from Debian project
participants, I will be forced to remove the mirror entirely.
Complaints to "security@midco.net" are viewed by members of the
management team as well as members of the technical staff, and I regret
to inform you that one of the members of the management team has reacted
to your complaint in an abusive and non-productive manner that will
certainly impact our ability to help Debian in the future.

I regret the "shoot the messenger" tone of this email; understandably
security is important and potential abuses should be dealt with swiftly
and forcefully, given the state of the Internet today.  Nevertheless,
common sense can and should be exercised whenever possible.

I reiterate that today I remove "pavlov.midco.net" from the mirror
rotation "http.us.debian.org".  HTTP, FTP, and RSYNC access to this
machine will be turned off upon completion of this email. The machine
will be shut down and rebuilt from scratch.  Mirror services *may* be
restored at that point, if I can convince management that the benefits
of hosting a mirror outweigh the liabilities.

Sincerely,

- --
Nathan Norman - Network Specialist    mailto:nnorman@midco.net
High Speed Internet Access                http://www.midco.net
finger nnorman@home.midco.net for PGP Key     ID: (0xA33B86E9)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBN+0ovAXl8N+jO4bpAQGTmQP9Eyff8etuyzQkYx3kKry2QJTlpP5KGTj4
hiIkViV2d3T6rOJ1paeESYjMrzycNLBBdqSNMvmnBYMzSC3fY9ykdNBSC/wUEBfq
Q4oCG+OYOovDJDQXxurDj0/HgZzoIGPt8lx3ODDox34jris/hhu3qruE9RlHcT13
0sgwXKTBcp8=
=fgR7
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: scanning my ports
  - From: John Lapeyre <lapeyre@physics.arizona.edu>
- Re: scanning my ports
  - From: eichin@thok.org (Mark W. Eichin)

Prev by Date: Re: Funding for a Crazy Idea
Next by Date: Status of GNOME in potato
Previous by thread: Re: Hysterical Onanistic ITP's (was: ITP: Country Codes)
Next by thread: Re: scanning my ports
Index(es):
- Date
- Thread