[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange requests from Vanguard Securities: 53,137,138

On Sun, Aug 12, 2007 at 01:16:57PM -0700, Wade Richards wrote:
> 2) If you really don't like the log messages, then reconfigure your firewall to not
>    log dropped packets.

Actually, it might be best to just drop (and not log) packets to these ports
which are flowding your messages' log and log the rest. That way you log
other (uncommon) incoming attacks blocked by the firewall which might be an
indication of somebody which is interested in you (for example, a portscan

Easy to do like this:

<your firewall ruleset, assuming your default policy is DROP>
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 137,138 -j DROP
iptables -A INPUT -p udp --dport 137,138 -j DROP
iptables -A INPUT -j LOG
<end of firewall ruleset>



PS: Notice that NetBIOS (port 137, 138) worms try to propagate both over both
TCP and UDP:

PPS: I typically block and drop also port 139 (also NetBIOS) which is
constantly probed due to multiple trojans and vulnerabilities:

Attachment: signature.asc
Description: Digital signature

Reply to: