Re: When not to log
From: Tim Haynes (usenet@stirfried.vegetable.org.uk)Date: 05/11/02
- Next message: Tolmino: "ppp"
- Previous message: Joe: "Re: When not to log"
- In reply to: Joe: "Re: When not to log"
- Next in thread: none@nowhere.org: "Re: When not to log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Tim Haynes <usenet@stirfried.vegetable.org.uk> Date: 10 May 2002 23:13:24 +0100
Joe <joe@jretrading.com> writes:
> >In that case, see what I said about dynamic IP#s.
>
> Demon. Static IP for over 5 years.
Interesting then.
> >> Mostly the usual suspects, with some nntp and the occasional ntp. Now
> >> and then one I have to look up. Oddly, very few smtp, imap or pop.
> >> Usually in threes, and, as I say, nearly all immediately after
> >> contacting a website for the first time. Not dodgy ones, either,
> >> mostly links from Google to hardware or software sites.
> >
> >Why not run the logs through fwlogwatch so you can at least categorise
> >per-IP per-port per-flag-combination?
>
> I'm currently using Win9*/personal fw on the Net. It only logs s & d IP,
> port and hostname where discoverable.
That's funny, you were moaning about iptables output a while ago????
> >Hint: if you're getting resets back from someone's port 80, it's 99%
> >likely you're looking for a webserver where there isn't one.
>
> Connection from unprivileged to my 80?
Ah, in that case, a new 3-syn connect attempt would be most likely Nimda or
Code Red.
> >Hint3: if you get ICMP 8/0 pings, either you're being pinged and/or
> >you're blocking PMTU attempts.
>
> I'm not returning pings but am replying to some ICMP/IGMP.
???
> I'm not worried about it, I just thought I'd throw it into a conversation
> where any possible connection between browsing and probes received was
> being denied. I'm certain there's some link a lot of the time. Is it
> impossible for a compromised web server to pass client IPs back to its
> owner? Would this not be a good way for a cracker to harvest active,
> on-line IPs?
There's never been a report of such a thing AFAIK, and it strikes me as a
little inefficient unless someone particularly *wants* to focus on dialup
blocks. Me, I think it would be more efficient to write a mass-scanner that
generates random IP blocks and then checks the DUL before concentrating on
always-online things - who in their right minds would *want* to crack a
home box that's going to be offline in a couple of minutes' time??
~Tim
-- Bag*** gave a big yawn, |piglet@stirfried.vegetable.org.uk and settled down to sleep. |http://spodzone.org.uk/
- Next message: Tolmino: "ppp"
- Previous message: Joe: "Re: When not to log"
- In reply to: Joe: "Re: When not to log"
- Next in thread: none@nowhere.org: "Re: When not to log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
