[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NULL Scan issues or something else?

Le 5 févr. 2013 17:52, "Daniel Curtis" <sidetripping@gmail.com> a écrit :
> I've added a rule to my iptables script, which is responsible for
> filtering --tcp-flags and INVALID state. After addition of this rule,
> I've noticed , that many IP addresses are trying to scan(?) my
> computer, but it is not so obvious, because, for me, from iptables
> rule point of view, NULL Scan is something different (see below).
> This rule looks this way and is related to the incoming connections:
> [...]
> Mostly all of the log entries related to the NULL Scan are the same - the same
> SPT, TTL and PROTO values. Of course, sometimes IP addresses were changed.
> Best regards!


Don't put too much time into those "strange packets"  received.

There is a countless number of bots and scripts kiddies scanning the whole ipv4 range (and bruteforcing password also). They often use standard scanning like syn scan and sometime you find some people trying to exploit vulnerabilities quite old (ping of the death, Xmas tcp packets...).

Should you worry? No, at least if you take simple precautions: block everything unless what you need (port 80? 22?...) and be as restricted as possible (from which network...).

And use hard password.

You'll be scanned, many times a day, you'll also be bruteforced and however not normal, this is just "noise".

Respect usual security measures and you won't really be bothered by this noise (but by more advanced threat could :)).

A simple iptables firewall with input dropped by default and allowing certain ports should work for most servers.

Jérémie Marguerie

Reply to: