Re: Linux vs LinkSys 4 port Cable router

From: David (davidwnh@adelphia.net)
Date: 10/12/02 

From: "David" <davidwnh@adelphia.net>
Date: Sat, 12 Oct 2002 07:04:05 GMT

The key is your incoming router log is generally only an indication of which
computers are "querying" or attempting to connect to your network. It is
designed to stop what I call standard "unsolicited" connects and stop
certain other types of traffic. It will by no means block every unwanted
packet sent to it. There are several methods of port scanning and the
different firewall appliances are designed to block only certain types of
these scans. Which ones a specific Linksys router blocks doesn't seem to be
readily available information from Linksys. You would probably have to do
the testing yourself to figure this out. Probably not even worth the effort.
If you go to some of the internet scan sites( and your router is configured
properly) you probably won't see leakage in your computer's logs because
they are doing the most common scans and your router is in fact squelching
them. On the other hand many of the current worms and hacker tools do scans
that are not stopped by your router. Those are the ones that show up on your
computer logs. If your ports are closed and/or filtered properly your
computer/proxy will squelch the response. If not your computer will send the
type of response that the particular scan is trying to initiate. Usually
still not a problem, your just not stealthy when it comes to that particular
type of scan. What this comes down to is that you are stealthy to your
typical script kiddie and some of the worms, but not others. By filtering at
your computer or proxy you will add stealth. Some of the current trojan and
sql scanning worms walk right past certain routers. These may be the ones
you're currently seeing most in your logs? It's generally not a problem and
being stealthier seems to matter less and less all the time. The worms on
infected computers seem to come looking for you day in and day out whether
your computer is responding to them or not. If you keep seeing the same
computers doing these scans on a regular, seemingly scheduled basis they are
usually worms looking for a new victim and the person who got it is unaware.
You can send your logs to a site like dshield.org. If they get enough
reports on a specific ip address they will sometimes notify the offending
computers ISP.

"2Host.com - Robert" <admin@-NOSPAM-2host.com> wrote in message
news:3DA78037.952DDEAE@-NOSPAM-2host.com...
>
>
> "John (John)" wrote:
> >
> > Guys,
> >
> > I'd like to expand on this thread a tad and ask a related security
> > queston.
> >
> > I have a Linksys router feeding a Linux (Red Hat 7.3) server and some
> > Windows 98 PCs on my LAN.
> >
> > I run wu-ftpd just as a local service to myself (...I know, I know,
> > I'm gonna shift it over to ProFTPD -- honest!). For security, I have
> > hosts.deny set to ALL and hosts.allow set to only permit my local IPs.
> > I also have all the ports closed on the Linksys router. So, bottom
> > line, I don't want, nor do I expect, to have my FTP service exposed to
> > the outside world.
> >
> > So, the question becomes: why do I see listings in my secure log of
> > outside attempts to access my FTP server?
> >
> > The log shows all the outside attempts as "FAIL", so I'm safe, but why
> > am I seeing anything in the log at all? Why doesn't the Linksys router
> > just bounce the probes before the Linux server "sees" them at all?
> >
> > Thanks for any insights you can offer.
> >
>
> You need to deny any outside connections to the FTP port, or they will
> access that service on the system and be denied because their IP isn't
> local. What Linksys router model do you have? What options do you see
> when accessing the router? It should be pretty straight forward. You
> should do this for any service you don't want someone getting into your
> local LAN via a remote connection.
> --
> Regards,
> Robert McGregor - Email: admin@(remove)2host.com. Phone: 530-941-0690
> Server admin, support & programing for shared & dedicated web servers
> Secure, reliable hosting you expect and deserve! http://www.2host.com

Relevant Pages

  • Re: Linux vs LinkSys 4 port Cable router
    ... computers are "querying" or attempting to connect to your network. ... Which ones a specific Linksys router blocks doesn't seem to be ... On the other hand many of the current worms and hacker tools do scans ... computer logs. ...
    (comp.security.firewalls)
  • Re: logs and securityscan
    ... both computers have a firewall but the logs remaine empty. ... how does the router know what to deny and what to ... available services on your internal hosts. ...
    (comp.os.linux.networking)
  • Re: Linux vs LinkSys 4 port Cable router
    ... Which ones a specific Linksys router blocks doesn't seem to be ... On the other hand many of the current worms and hacker tools do scans ... >computer logs. ...
    (comp.security.firewalls)
  • logs and securityscan
    ... both computers have a firewall but the logs remaine empty. ... I assume that the router is stopping everything now? ...
    (comp.os.linux.networking)
  • Re: XP Pro Printer Sharing
    ... You give no information at all concerning how your computers are connected, what you have attempted to do, or what error messages you have received. ... Below is information about setting up a router and also doing networking. ... Setting up a router and Local Area Network sharing between two computers takes approximately 15 minutes. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.print_fax)