-
January 20th, 2004, 05:41 PM
#11
Originally posted here by extremez
That would hamper relations.
I thought you said your firewall was blocking all attempts? Are they making it through to your DMZ??
They are targeting boxes in the DMZ but aren't getting through, but I do now see your point, setting up a sniffer in the DMZ ain't going to do us much good
We'll sniff the external interface on the firewall, that should show us something.
Cheers:
-
January 20th, 2004, 05:48 PM
#12
If they are using spoofed IP Address then they can't be expecting to get a connection, since the return address will not be correct.
However, are you seeing any other attempts from other 'more real' looking IPs at the same time, since if they are trying to probe & get some information back, one of thes addresses will be real.
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
January 20th, 2004, 05:59 PM
#13
Junior Member
Not sure if checkpoint has the ability to set it to not allow spoofed IP's. I know on all my cisco firewalls I have anti spoofing turned on. Pretty much if I can't do a reverse look up back to you, your not connecting..
Do you have a syslog or anything running?
If at first you don\'t succeed, f**k it try something else.
-
January 20th, 2004, 06:08 PM
#14
Originally posted here by steve.milner
If they are using spoofed IP Address then they can't be expecting to get a connection, since the return address will not be correct.
However, are you seeing any other attempts from other 'more real' looking IPs at the same time, since if they are trying to probe & get some information back, one of thes addresses will be real.
Steve
Nothing that seems to have any pattern or structure Steve.
Originally posted here by symtech
Not sure if checkpoint has the ability to set it to not allow spoofed IP's. I know on all my cisco firewalls I have anti spoofing turned on. Pretty much if I can't do a reverse look up back to you, your not connecting..
Do you have a syslog or anything running?
Yes checkpoint can disallow spoofing, that's why this cowboy is being dropped.
Cheers:
-
January 20th, 2004, 06:20 PM
#15
Member
They are targeting boxes in the DMZ but aren't getting through, but I do now see your point, setting up a sniffer in the DMZ ain't going to do us much good
Exactly, No prob
[gloworange]
find /home/$newbie -name *? | www.google.com 2>/dev/null
[/gloworange]
-
January 20th, 2004, 06:54 PM
#16
DjM: Are you allowing outside client's to connect t you're proxy on port 80 do you even have a proxy server running on port 80 ?that can be used to probe the internal LAN like a port scan like doing http://<ip>:25 im not wanting to get right in to it the now i have had a few beers but that could be causing the localhost queries to ports on the lan
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
http://muaythaiscotland.com/
-
January 20th, 2004, 07:01 PM
#17
Originally posted here by prodikal
DjM: Are you allowing outside client's to connect t you're proxy on port 80 do you even have a proxy server running on port 80 ?that can be used to probe the internal LAN like a port scan like doing http://<ip>:25 im not wanting to get right in to it the now i have had a few beers but that could be causing the localhost queries to ports on the lan
Short answer, no. We don't have a proxy.
Thanks for your help, go have a few more beers and let me know if you come up with anything else. (some of my best work is done with a belly full of beer)
Cheers:
-
January 20th, 2004, 07:34 PM
#18
sounds more like an attempted smurf attack rather than an intruder. you should deny incomming 127.0.0.1 at your router
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
January 20th, 2004, 07:39 PM
#19
Originally posted here by Tedob1
sounds more like an attempted smurf attack rather than an intruder. you should deny incomming 127.0.0.1 at your router
Yea, this is what I would like to do too Tedob1, however the router is owned and controlled by our current ISP, who, like I said, is a little pissed at us, I doubt they would put any priority on putting in that router rule for us.
Cheers:
-
January 20th, 2004, 08:15 PM
#20
the router that connect us to the internet is owned by UUnet but when they set it up they gave me the user name and password so i can make changes. call them ask them, what have you got to loose. if worse comes to worse get another router
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|