Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: telnet and ftp attempts = hack attempts?

  1. #11
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    I can't block alter.net because it's just on the route, not the actual destination. I may do the auto-block. Does auto-block keep a list of blocked sites somewhere that I can access/modify? Is auto-block temporary or permanant?

    Thanks,
    -Will Tyler
    -wct097@yahoo.com

  2. #12
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    as i said...i just got my box ...but reading from the manual pg 85 (you do have a manual right...hinthint...rtfm... )

    "Auto Blocked sites - which are sitres the firebox adds or deletes dynamically based on default packet handling rules and service-by-service rules for denied packets. Sites are temporarily blocked until the autoblocking mechanism times out "

    (timeout can be set up to 22 days i think)

    "Fire box autoblock and logging mechanisms can help you decide what sites to block. For example, when you find a site that spoofs your network, you can add the offending sites ip to the list of permanently blocked sites."
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  3. #13
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    Actually, I don't have the manual handy. Our consultants swiped it haven't mailed it back to me yet. I went ahead and auto-blocked sites that try to connect in suspicious ways. I have my Fireboax logging incomming (allowed) http as well. Funny to watch an someone hit the website, try to FTP, then can't hit our website a minute later. I bet it confuses the hell outta them.

    I've been keeping track of suspicious hits on the firewall. I noticed one log message that occured three nights in a row. IP 198.36.205.2, port 137. Three entries each night between 1:30 and 2:00. I might just block this IP completely.
    -Will Tyler
    -wct097@yahoo.com

  4. #14
    Member
    Join Date
    Oct 2001
    Posts
    31
    Alter.Net is a backbone provider across the Atlantic and the majority of ISP's on the East Coast USA use them.

  5. #15
    Junior Member
    Join Date
    Feb 2002
    Posts
    5
    198.36.205.2 >> Risdall Advertizing (NETBLK-USW-RISDELLADVERTISE) , Class C network (198.36.205.0 - 198.36.205.255),

    _ 198.36.205.1 : HTTP server installed (Microsoft IIS 5.0)
    _ 198.36.205.1 : FTP server installed (Squid/2.4.STABLE2)
    _ 198.36.205.1 : anonymous FTP connection refused

    (198.36.205.1 - www.risdall.com)
    It seems that their small network has only Windows worstations.
    They are possibly having some bugs in their old accounting sofware (or other automatic report-making soft) which (probbably ) use NetBIOS to exchange data within LAN. So log all incoming packets, don't filter them, that could be interesting (let that host establish NetBIOS connection and transfer (faked) data if any - i.e. let them transfer something if they want).

    AIDeveloper.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •