-
January 16th, 2004, 04:00 AM
#1
Firewall Portscans
Whoa, i just checked the logs from my firewall and i have 6 or 7 port scans in the last two days. Wierd thing is, unlike everything else, my kerio firewall permitted them! I have it set to deny all intrusions and port scans. anyone know what could be up?
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 16th, 2004, 04:31 AM
#2
I have been getting quite a lot (20+/day) of scans on TCP 445, but Agnitum seems to be blocking them.
Which ports were yours on?
Cheers
-
January 16th, 2004, 05:26 AM
#3
Member
There seem to be some issues with the IDS module, it seems to lack permit and deny configuration options. Also, some logging issues. Check out dslreports. They have a kerio firewall forum and some folks speak of the same issue you are seeing.
- Boyam
-
January 16th, 2004, 09:50 PM
#4
Which ports were yours on?
It doesnt say. It just says "Portscan from ***.***.*** at 1/14/04" or "Portscan from ***.com"
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 16th, 2004, 10:00 PM
#5
Originally posted here by nihil
I have been getting quite a lot (20+/day) of scans on TCP 445, but Agnitum seems to be blocking them.
Which ports were yours on?
Cheers
You need a NAT router nihil.
-
January 16th, 2004, 10:26 PM
#6
Member
If your firewall normally records ports/services scanned, they may just be ping sweeps.
[gloworange]
find /home/$newbie -name *? | www.google.com 2>/dev/null
[/gloworange]
-
January 16th, 2004, 10:41 PM
#7
Member
Please, no flames (I would like serious answers) but what is the big deal? So what if someone scans your network, I'm not trying to be a smarta$$. Is it because it takes up bandwidth, or extra time to go through logs, is a portscan harmful to a network or just annoying? If someone is just scanning as opposed to trying to actually penetrate a network whats the big deal?
-
January 16th, 2004, 10:53 PM
#8
No, its no big deal, its just that im wondering why my firewall would deny everything else, and allow them.
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 16th, 2004, 10:58 PM
#9
My firewall distinguishes between portscans and "pings"
ttau:
Port scanning is the height of bad manners, apart from indicating a potential attempt to infiltrate the system, which is a threat and does take time to check.
I have had to turn off interactive alarm because a hit every second is somewhat distracting.
When your firewall indicates scans on unusual ports, this is either someone trying to consciously access your system (you have to assume the worse) or a new worm is trying to spread through the net.
A very basic explanation but that is the gist of it.
Cheers
-
January 17th, 2004, 04:18 AM
#10
I've never used kerio, so I don't know if this is relavant. Have you ever has a trusted zone setup in the firewall, like a friend's IP using a VPN or a DMZ passthrough? Like I said I don't know, but aside from a software bug, it the only thing that comes to mind.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|