Advice on firewall implementation and attacks
From: Ioan Peters (ioan_peters@hotmail.com)Date: 03/07/02
- Next message: Martin Hoffmann: "Certificate Revocation Trees"
- Previous message: Kid Icarus: "Re: BIOS password"
- Next in thread: Frank S: "Re: Advice on firewall implementation and attacks"
- Reply: Frank S: "Re: Advice on firewall implementation and attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: ioan_peters@hotmail.com (Ioan Peters) Date: 7 Mar 2002 03:31:25 -0800
Hi,
We're a small company using ADSL in the UK to connect to the Internet.
We have a firewall and proxy server between the Internet and our
users. Both devices have NAT implemented (for historical reasons) and
the only routable IP addresses we have are allocated to the ADSL modem
and Firewall.
The firewall does some port forwarding to our server (this runs MS SBS
4.5 including SQL Server, Exchange, IIS, Proxy etc.). Only the minimum
number of ports are forwarded: SMTP, HTTP & some others.
The set-up has been running for 3-4 months without any real incident -
we usually get a whole load of bounced traffic from what seems to be
people scanning for open hosts and occasionally a notification of a
dropped attack. It all amounts to about 1 log a day.
Recently, there seems to be a lot of interest in our external web site
(SSL encrypted Outlook web access site), so I moved the site from port
80 to a random port and am keeping an eye on the site logs.
Interest in our web server has escalated since then (approx 5-6 logs a
night) – people are still trying to attack port 80, even though it's
blocked by the firewall. I suspected that the interest in at least
port 80 on the server would die once the site was moved, but this
seems to have had the opposite affect!?
The attacks seem to be getting more sustained, with a lot more traffic
from a few IP addresses, rather than little traffic from a lot of
unique IP addresses. I guess our IP is listed somewhere?
I'm looking for some feedback maybe – what's your best guess on what's
happening? Is our IP listed somewhere, if so where would you look for
it? Given that we have MS SBS 4.5 and have to have mail and host the
Outlook web access on the same box, have I done everything I can do to
secure the environment? Anything I should be worried about?
Sorry about the long post. Thanks for your help in advance, Ioan.
PS: I'd be grateful if you could copy any reply to
ioan_peters.nospam@hotmail.com (remove the nospam!).
- Next message: Martin Hoffmann: "Certificate Revocation Trees"
- Previous message: Kid Icarus: "Re: BIOS password"
- Next in thread: Frank S: "Re: Advice on firewall implementation and attacks"
- Reply: Frank S: "Re: Advice on firewall implementation and attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
