[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scanning my ports


On Fri, 24 Sep 1999, John Lapeyre wrote:

 :      Dear Security Staff:
 :        I received 2086 connection attempts at several ports on September 22.
 :      The attempts were made from  IP address  pavlov.midco.net []
 :      The machine whose ports were scanned is .
 :      Please make sure that this port scanning does not happen again.
 : Here are the first and last connection attempts 
 : Sep 22 02:01:23 homey tcplogd: auth connection attempt from pavlov.midco.net []
 : Sep 22 21:20:18 homey tcplogd: port 24011 connection attempt from pavlov.midco.net []
 :     Thanks for your cooperation.

Mr. Lapeyre,

You do realise that pavlov.midco.net is part of the DNS rotation

  biff@chaos:~ $ host pavlov.midco.net
  pavlov.midco.net        A
  biff@chaos:~ $ host http.us.debian.org
  http.us.debian.org      A
  http.us.debian.org      A
  http.us.debian.org      A
  http.us.debian.org      A
  http.us.debian.org      A

I see no evidence in the logs that you are being port scanned - I feel
it's more likely that your use of the mirror here is at issue.  You may
of course disagree.

Nevertheless, I will shut down the mirror here and rebuild this machine
from scratch, implementing draconian and paranoid security measures.

If I receive further complaints of "abuse" from Debian project
participants, I will be forced to remove the mirror entirely.
Complaints to "security@midco.net" are viewed by members of the
management team as well as members of the technical staff, and I regret
to inform you that one of the members of the management team has reacted
to your complaint in an abusive and non-productive manner that will
certainly impact our ability to help Debian in the future.

I regret the "shoot the messenger" tone of this email; understandably
security is important and potential abuses should be dealt with swiftly
and forcefully, given the state of the Internet today.  Nevertheless,
common sense can and should be exercised whenever possible.

I reiterate that today I remove "pavlov.midco.net" from the mirror
rotation "http.us.debian.org".  HTTP, FTP, and RSYNC access to this
machine will be turned off upon completion of this email. The machine
will be shut down and rebuilt from scratch.  Mirror services *may* be
restored at that point, if I can convince management that the benefits
of hosting a mirror outweigh the liabilities.


- --
Nathan Norman - Network Specialist    mailto:nnorman@midco.net
High Speed Internet Access                http://www.midco.net
finger nnorman@home.midco.net for PGP Key     ID: (0xA33B86E9)

Version: 2.6.3ia
Charset: noconv


Reply to: