Re: Am I being scanned ?

To: debian-user@lists.debian.org
Subject: Re: Am I being scanned ?
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Tue, 22 May 2001 19:02:20 -0700
Message-id: <[🔎] 20010522190220.D4976@navel.introspect>
In-reply-to: <[🔎] 20010522190806.A10856@mathematicallinux.org>; from thomas.1037@osu.edu on Tue, May 22, 2001 at 07:08:06PM -0500
References: <[🔎] 20010522190806.A10856@mathematicallinux.org>

on Tue, May 22, 2001 at 07:08:06PM -0500, Balbir Thomas (thomas.1037@osu.edu) wrote:
> Hi,
> My tcplogd reports are starting to look like this :
> 
> May 22 18:09:06 mandelbrot tcplogd: port 1884 connection attempt from
> +outpost.zedz.net [194.109.206.210]
> May 22 18:09:06 mandelbrot tcplogd: port 1885 connection attempt from
> +outpost.zedz.net [194.109.206.210]
> May 22 18:09:07 mandelbrot tcplogd: port 1886 connection attempt from
> +outpost.zedz.net [194.109.206.210]
> May 22 18:09:08 mandelbrot tcplogd: port 1887 connection attempt from
> +outpost.zedz.net [194.109.206.210]
> May 22 18:09:09 mandelbrot tcplogd: port 1888 connection attempt from
> +outpost.zedz.net [194.109.206.210]
> May 22 18:09:09 mandelbrot tcplogd: port 1889 connection attempt from
> +outpost.zedz.net [194.109.206.210]
> 
> This goes on and on . Does this mean someone is trying to port scan my
> pc. 

Looks like it.

> If so what can I do to detect/prevent breakin and restrain him/her
> ?

I'd send an email to abuse@zedz.net to alert them, and their upstream
provider, 

    $ whois 194.109.206.210

...will give you this info -- looks like xs4all.nl is the hosting
service, in the Netherlands.

You can also add a rule to specifically block this IP to your IP
filtering rules.  You might want to make sure it's not an IP that
otherwise has legitimate access to your system.  Spoofing IP addresses
used in portscanning is a known DOS tactic.

You should also check to see that you're not running any service or
leaking access to your system at high level ports.  Above 1024, there
are some services including X (6000-6064), VNC, MySQL, and others.

> Any pointer to security for debian newbies ??  thanking you 

There are several good books on firewalling.  The O'Reilly one is
classic, New Riders have _Linux Firewalls_, Wiley have _Building Linux and
OpenBSD Firewalls_.  All are recommended.

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org
   Disclaimer:          http://www.goldmark.org/jeff/stupid-disclaimers/

Attachment: pgpft7zmqmlTW.pgp
Description: PGP signature

Reply to:

References:
- Am I being scanned ?
  - From: Balbir Thomas <thomas.1037@osu.edu>

Prev by Date: Re: XDM or GNOME???
Next by Date: Re: lilo difficulties - ADDENDUM
Previous by thread: Am I being scanned ?
Next by thread: lilo difficulties
Index(es):
- Date
- Thread