Re: under attack, need help !

From: amputee (dirty@pakistani.com)
Date: 07/31/02 

From: "amputee" <dirty@pakistani.com>
Date: Wed, 31 Jul 2002 07:34:55 GMT

"Thomas Lally" <juste_ciel@hotmail.com> wrote in message news:8673626a.0207302113.4736594a@posting.google.com...
> I believe someone from the outside who is attempting to use our smtp -
> our smtp is closed indeed - is not part of a normal traffic behavior
> ; No FTP server is opened, but some people are guessing anonymous ; IP
> spoof attempts, port scan and a very long sequence of netbios are
> actually showing warning signs to me. Of course you are all more
> experienced than I am in network security, but nobody comes up with
> advices, except about the content filtering for what I was already
> aware thanks...

It's common for people to try to scan networks for open SMTP relays,
from your logs I don't see anything which suggests to me that someone
is repeatedly trying to force their way through your firewall, thus I would
classify it as normal traffic. Some file sharing programs such as AudioGalaxy
and others use port 21 (FTP) to transfer files, so if someone inside your
network is using such software, it would be justifiable to see failed
connects to that port from the outside. Even if someone is not using
such software, it is still somewhat common to see a scan here or there,
but again from the log you posted, it doesn't look like someone is
malevolently trying to gain access to resources behind the firewall.
The 3 or 4 IP spoofs I saw were from computers on your own LAN,
and are microsoft machines without an assigned IP, which are trying
to access outside resources, this is obviously nothing to worry about.
The netbios connects are a very common thing, and again nothing
to worry about, especially if your firewall is blocking them, which it is.

The reason no one had any advice is because everything looks fine,
the firewall is doing its job. If you want your network 'more secure',
tighten your security policies and install antivirus software all over
your network. Other than that, nothing looks wrong, it just looks like
normal traffic to me, I wouldn't worry yourself.

amputee

Relevant Pages

  • Re: under attack, need help !
    ... were very long to access the network. ... > such software, it is still somewhat common to see a scan here or there, ... > malevolently trying to gain access to resources behind the firewall. ... > to worry about, especially if your firewall is blocking them, which it is. ...
    (comp.security.firewalls)
  • Re: Sending SMTP e-mail from DCL
    ... :I recently moved my home VMS box behind our firewall router, ... :I have also set up SMTP packets to be forwarded. ... Your firewall is not passing through mail to the interior of your ... network -- most won't, of course, unless specifically configured to ...
    (comp.os.vms)
  • Re: [Full-Disclosure] "MS Blast" Win2000 Patch Download
    ... Yes, blocking 135 at the firewall is a really, really, really, really good ... 135 means that "you don't have to worry about it", ... for your network, but it is a good start. ...
    (Full-Disclosure)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.windowsxp.network_web)
Quantcast