[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] FTP/Probing Scan Question
- Subject: [cobalt-security] FTP/Probing Scan Question
- From: "Troy Arnold" <cobalt@xxxxxxxxxxxxxx>
- Date: Fri, 31 Aug 2001 10:15:42 -0700
- Organization: websetters, inc.
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I have the same issues/question as Chae. I have already installed IPChains
but have been reviewing rules and haven't executed it or setup the boot
script. Still reviewing rules and have been looking for a detailed how-to. I
have reviewed alot of the documentation
(http://plug.skylab.org/199907/msg00138.html &
http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO.html) but was hoping to
find a standard Cobalt Raq4i ruleset or a walkthrough from someone running
standard services and ports. Have been anxiously awaiting Carrie or Michael
Stauber's expanded how-to. Anyone have something like this available?
We have been getting regular repeated probes (example below) from apparently
the same hacker (or subnet) as Chaes post. These are consistent even though
they never get in (or I am hoping they aren't getting). FTP is on but
Anonymous FTP is disabled. We are running SSL, SSH, no telnet, etc.
Aug 29 13:37:34 www proftpd[12665]: xx.xx.xxx.xxx
(pD950D1A0.dip.t-dialin.net[217.80.209.160]) - FTP session opened.
Aug 29 13:37:34 www proftpd[12666]: xx.xx.xxx.xx1
(pD950D1A0.dip.t-dialin.net[217.80.209.160]) - FTP session opened.
Aug 29 13:37:34 www proftpd[12667]: xx.xx.xxx.xx2
(pD950D1A0.dip.t-dialin.net[217.80.209.160]) - FTP session opened.
Aug 29 13:37:34 www proftpd[12668]: xx.xx.xxx.xx3
(pD950D1A0.dip.t-dialin.net[217.80.209.160]) - FTP session opened.
Aug 29 13:37:35 www proftpd[12665]: xx.xx.xxx.xxx
(pD950D1A0.dip.t-dialin.net[217.80.209.160]) - no such user 'anonymous'
Aug 29 13:37:35 www proftpd[12665]: xx.xx.xxx.xxx
(pD950D1A0.dip.t-dialin.net[217.80.209.160]) - no such user 'anonymous'
A lot of these for most of our 64 ips. Similar FTP session closed for all
probes
Daily I regularly review the report from LogChk and manually add the
offending IP's to the hosts.deny file. They just seem to move or fake
another IP address. I have considered denying the ranges of these IPs but we
have alot of out of country access to our stateside sites... and obviously
don't want to shutdown a major gateway.
Any recommendations? Thanks in advance.
Best regards,
Troy Arnold | websetters, inc.