[lug] Anyone know who this @home host is?

Warren Sanders sanders at MontanaLinux.Org
Tue Feb 20 08:39:35 MST 2001 

Well I chose to ignore the port 68 deal and took that port watch out of
the mix.  I turned my snort on as well and it doesn't see the scanning
going on.  I also added that host to the deny list for IPchains but the
host has been in there all along after the first detect.  Oddly my logs
did not show any kernel deny's from that host as is the case from other
@home scanners.  Generally I get a kernel packet deny log before I see a
portcentry attack alert and the attack alerts were all I'd get, no snort
log and no packet deny.

BTW I use a hosts deny ALL policy in place.

On Mon, 19 Feb 2001, John Starkey wrote:

> Date: Mon, 19 Feb 2001 21:42:40 -0700
> From: John Starkey <jstarkey at advancecreations.com>
> Reply-To: lug at lug.boulder.co.us
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Anyone know who this @home host is?
>
> They're still scanning. You just need something that picks it up before ipchains denies/rejects it. If you're blocking that port then you've complied because you sure as hell aren't running a nntp server (on that port anyway).
>
> dan radom wrote:
>
> > I used to get scans before I blocked all their traffic with ipchains.  I'se set ipchains to allow me to still use their dns, mail, news, proxy services if I choose.  Email me off list and I'll be happy to supply the chains.  No more scans from @home :)
> >
> > Dan
> >
> > * Nate Duehr (nate at natetech.com) wrote:
> > > On Mon, Feb 19, 2001 at 08:14:03PM -0700, John Starkey wrote:
> > > > My logs say they are  still  only scanning nntp.
> > >
> > > There are reports that they scan other services, but perhaps not here in
> > > Colorado?
> > >
> > > --
> > > Nate Duehr <nate at natetech.com>
> > >
> > > GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
> > > Public Key available upon request, or at wwwkeys.pgp.net and others.
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

-- 
Warren Sanders
http://MontanaLinux.Org

More information about the LUG mailing list