[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange requests from Vanguard Securities: 53,137,138

Hi George,

On Sun, Aug 12, 2007 at 12:58:59PM -0400, George wrote:
> In browsing vanguard.com I find it slow, also they cause unexpected 
> logging in my /var/log/messages file.  To kill these I updated itpables 
> to open said ports.
> #!/bin/sh
> # /opt/sbin/ziptables.vanguard input
> #
>  iptables -I INPUT -j ACCEPT -s -p udp \
>  -m multiport --ports 53,137,138
> #
> iptables -L
> Why are they examining these ports?  No one else is.
> Using a Thinkpad behind a router and my own iptables firewall.  Debian 
> Test and Sid environments.

You've made a few missteps here.

First, you have assumed that "vanguard.com" is the reason for the
activity on your firewall.  If you look at the IP address for vanguard, you'll
see that it has nothing to do with the IP addresses that are hitting your firewall.

To see the IP address of a site, use "host":

    $ host vanguard.com
    vanguard.com has address
    vanguard.com has address
    vanguard.com mail is handled by 100 vanguard.com.s7a1.psmtp.com.
    vanguard.com mail is handled by 200 vanguard.com.s7a2.psmtp.com.
    vanguard.com mail is handled by 300 vanguard.com.s7b1.psmtp.com.
    vanguard.com mail is handled by 400 vanguard.com.s7b2.psmtp.com.

Then, to see who is actually hitting your firewall, use "whois":

    $ whois
    Cablevision Systems Corp. CVNET (NET-167-206-0-0-1)
    Cablevision CVNET-A7CEFB00 (NET-167-206-251-0-1)

So you have opened up ports for "Cablevision Systems Corp", when you 
want to allow access to Vanguard.  Not a good idea.  "Cablevision Systems
Corp" is a company that provides broadband network access to homes, so 
all these addresses are probably people's home computers.

Secondly, you opened up ports without knowing what they are for.  To see
what the ports are for, search in the /etc/services file:
    $ grep 53/ /etc/services
    domain          53/tcp                          # name-domain server
    domain          53/udp
    $ grep 137/ /etc/services
    netbios-ns      137/tcp                         # NETBIOS Name Service
    netbios-ns      137/udp
    $ grep 138/ /etc/services
    netbios-dgm     138/tcp                         # NETBIOS Datagram Service
    netbios-dgm     138/udp

So those ports are for DNS and Microsoft networking.  Both services that have a 
lot of exploits for them. 

The reason you are getting a lot of hits on those ports from those
addresses is because some "hackers" are trying to break into your
system, using known exploits against DNS and Microsoft networking.  They
probably aren't succeeding, since you probably don't run a DNS server or
SAMBA.  But if you do run one of those, you should be warned.

Finally, there is the idea that you simply opened up the ports to make
the messages in your log file go away.  This is a very bad idea.  The
firewall is there to stop you from getting hacked.  The log file is
there to warn you that someone is trying to hack you.  Opening up ports
to stop log file messages is kind of like removing your armour because
you don't like the loud "ping" sound of bullets bouncing off it.

I strongly suggest that you:
1) Close those ports in your firewall.
2) If you really don't like the log messages, then reconfigure your firewall to not
   log dropped packets.
3) Use "/etc/services" to see what ports are for, and make sure you understand what
   service is running on a port before you open it up.
4) Use "whois" to see the names behind an IP address, and make sure you know who is 
   behind an address before you open a hole in your firewall for that address.

Good luck,

    --- Wade

Reply to: