Re: Deutsche-Telekom sets the standard for network security! (??)
From: Bruce D. Ray (bray@iupui.edu)Date: 12/18/01
- Next message: Rob MacGregor: "Re: DNS"
- Previous message: Vincent: "modify ipchains rules via web interface"
- In reply to: gr8matt: "Re: Deutsche-Telekom sets the standard for network security! (??)"
- Next in thread: Ian Jones: "Re: Deutsche-Telekom sets the standard for network security! (??)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: bray@iupui.edu (Bruce D. Ray) Date: Tue, 18 Dec 2001 10:15:44 -0500
In article <cHCT7.5457$kM1.1355157536@newssvr14.news.prodigy.com>,
"gr8matt" <gr8rmatt@pacbell.net> wrote:
> I am rather new to the entire security field (I became interested when I got
> cracked) and find the whole "religious debate" quite amazing. I had no idea
> that people were so hardcore (for lack of a better word) on security.
>
> Several of you say that you report port sniffers almost every time. Are you
> telling me that you go through and research each and every IP address that
> sniffs your system? I am asking this in all honesty - not trying to be
> sarcastic. I have only had a server up for 2 months now and get at least
> 5 - 10 hits a night. Do you have some type of script that sends an email
> out or how do you handle all that traffic? I assume that you block IP's in
> the hosts.deny file. Are there ranges that you block?
1. I don't have to do any research on the IP's. All of that
is logged automatically by my NIDS {OpenBSD system set up
on an obsoleted machine I salvaged that only runs snort,
and doesn't run anything else}, by my firewall, and by the
protected systems.
2. I don't see near the hits you report. Of course, my
systems are not exactly the most accessible.
3. All I have to do to report the incident to IU's IT
Security Office is copy the log records into a form
e-mail and send that. I don't spend more than about
2 h/wk on hits.
4. I have a full firewall system {OpenBSD system set up
on another obsoleted machine I salvaged that only runs
IP Filter with a rather strict rule set}. I'm past
the /etc/hosts.deny file stage to full firewalling.
You might want to consider doing the same if you're
seeing that many port scans every night. Do all your
systems really need that degree of exposure to the
net? Don't most of your systems have only a small
number of other systems from which legitimate traffic
can come?
5. In addition to blocking a whole host of unroutables
listed in IP Filter literature, I currently block the
following on the particular network under discussion
{I have another network whose input rule blocks
everything without exceptions}:
0.0.0.0/1 # 0.0.0.0-127.255.255.255
128.121.0.0/16
128.242.0.0/16 # No Verio, Inc. of CO
129.250.0.0/16 # Nor this Verio, Inc.
130.104.0.0/16 # No Universite Catholique de Louvain, Belgique
134.96.0.0/16 # No University of the Saarland, Germany
135.0.0.0/8 # 135.0.0.0-135.255.255.255
136.0.0.0/5 # 136.0.0.0-143.255.255.255
144.0.0.0/4 # 144.0.0.0-159.255.255.255
160.0.0.0/3 # 160.0.0.0-191.255.255.255
192.0.0.0/6 # 192.0.0.0-195.255.255.255
196.0.0.0/7 # 196.0.0.0-197.255.255.255
198.0.0.0/8 # 198.0.0.0-198.255.255.255
200.0.0.0/5 # 200.0.0.0-207.255.255.255
208.0.0.0/4 # 208.0.0.0-223.255.255.255
6. Yes, I do realize that this list blocks almost everybody
on the internet. I'm not a service provider. I don't
run a web site on these systems. I'm not a content
provider. There isn't anything on my systems that most
on the internet have any reason to view. When I've
collected, analyzed, and interpreted my data, I will
publish it and that will be available from the publisher's
web site. Furthermore, my firewall allows me to connect
to sites that are blocked from connecting to me.
> If your job is strictly security, I might be able to see being able to do
> this. However, I have a two man shop and don't have enough time in the day
> to get my regular duties done muchless track every port sniffer running a
> script kitty.
That's nice. I'm a research biochemist, lab manager,
NMR spectroscopist, and isotopic chemist. I also do
programming needed to analyze the acquired NMR data, e.g.,
multi-exponential chemical exchange fits to a system of
resonances with superpositions, PRR fits, etc. My job is
not supposed to be security at all. I just got stuck with
administration of every single Unix system in this department
because NMR spectrometer host computers are Unix systems.
> Please tell me if you think I am off base here. The way it sounds, I may
> need to focus more attention on what I considered to be "almost innocent"
> sniffs.
As far as I can tell, there aren't any "almost innocent"
port scans coming from Europe. I do not believe that there
are any "almost innocent" port scans coming from anywhere
else either. From the patterns, a nunmber of these port
scans come from places already subverted. From reports of
actual break ins to scientific systems that follow port
scans from the same European ISP's under discussion, and
from other reports on traffic, these port scans are preparatory
to downloading systems in the US with materials that will
cause an FBI seizure of the systems {i.e., child pornography}.
--
Warning to commercial e-mailers {spammers}: The e-mail
address provided above is for information purposes only
and is subjected to extensive e-mail filtering. Do not
send unsolicited commercial e-mail to this address.
- Next message: Rob MacGregor: "Re: DNS"
- Previous message: Vincent: "modify ipchains rules via web interface"
- In reply to: gr8matt: "Re: Deutsche-Telekom sets the standard for network security! (??)"
- Next in thread: Ian Jones: "Re: Deutsche-Telekom sets the standard for network security! (??)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
