Re: Cracking attempt

To: Tim Spriggs <tims@fugazi.engr.arizona.edu>
Cc: debian-isp@lists.debian.org
Subject: Re: Cracking attempt
From: mark@sans.rondom.org (Mark Lijftogt)
Date: Mon, 24 Feb 2003 12:07:05 +0100
Message-id: <20030224110705.GA2471@lijftogt.nl>
In-reply-to: <Pine.GSO.4.44.0302240252030.15877-100000@fugazi.engr.arizona.edu>
References: <200302240839.24093.russell@coker.com.au> <Pine.GSO.4.44.0302240252030.15877-100000@fugazi.engr.arizona.edu>

It's a grey area ihmo.
A portscan is just a nock on a appartment door, and just waiting whom is
going to openup. Besides that, it's nothing more. And you can see this as
annoying, nocking on someones door and then running like hell, but.. then
again, no harm is done.

In comparisin with a mail adress probe, wich I recive 30 times a day if I
don't completly block a couple of hongarian and chinese ISP's, the domain is
useless for any commercial form, and does harm me in a financial way if I
realy don't do anything about it.

So.. using the Spam probe to compare it with a port scan.. well, I would
report the spam probe a couple of times if I have the feeling it would make
a diffrence.. but still.. it can be a lot of work.


Mark

On Mon, Feb 24, 2003 at 02:59:38AM -0700, Tim Spriggs wrote:
> 
> 
> On Mon, 24 Feb 2003, Russell Coker wrote:
> 
> > On Mon, 24 Feb 2003 07:38, Jason Lim wrote:
> > > Usually if we get such a report, we'll inform the client of their actions.
> > > Most times that discourages them from doing it.
> >
> > In any case it's a service to your client - who is the one paying you.  It
> > always amazes me that people on the net expect you to take their side against
> > one of your clients for something innocent like a bit of portscanning!
> >
> > > unless someone is REALLY repeatedly hammering a server. Then if no action
> > > is taken we may even block them at the router/switch level.
> >
> > That's the only thing to do, if someone is excessively scanning you then you
> > block their IP addresses for a while.  Of course you can't be too trigger
> > happy with this or you'll end up with half the Internet in your firewall rule
> > set...
> 
> In the defense of the ballistic person that is complaining about the
> portscan, one of our servers is running a backup server that dies with no
> error/warning when the server is portscanned. Unfortunately, our servers
> can not be put behind a firewall as funding is at an all time low.
> 
> This is a very inconvenient feature and the company that provides the
> backup server will do nothing about it so we have to manually restart the
> deamon from time to time because we were (innocently) portscanned.
> 
> 
> I guess my point is that there can be some wierd side-effects to obscure
> things that portscans/other non-normal network behaviour can create.
> However I will still side with you on the fact that abnormal behaviour
> should be handled and discarded by the software.
> 
> Oh well.
> 
> My two cents worth.
> 
> -Tim
> 
> >
> > --
> > http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> > http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> > http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> > http://www.coker.com.au/~russell/  My home page
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> >
> >
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 


-- Mark Lijftogt

Reply to:

Follow-Ups:
- Re: Cracking attempt
  - From: Russell Coker <russell@coker.com.au>

References:
- Re: Cracking attempt
  - From: Russell Coker <russell@coker.com.au>
- Re: Cracking attempt
  - From: Tim Spriggs <tims@fugazi.engr.arizona.edu>

Prev by Date: Re: Cracking attempt
Next by Date: Re: Cracking attempt
Previous by thread: Re: Cracking attempt
Next by thread: Re: Cracking attempt
Index(es):
- Date
- Thread