Topic: Logging connection attempts to open ports

[Rick Jones]

I turned on masq logging recently, and the result was pretty scary. Clearly it was doing its job, but the frequency of hits (around 8 per min continually over more than 24 hrs) quite surprised me.

I'd be interested to know how many questionable connections are being made to the _open_ ports (I just have Web, SMTP, POP & IMAP). Any suggestions on a good way to monitor this? I know when authorised activity happens, but I'd like to know what goes on between times.

BTW the closed-port hits I recorded were almost all on the FTP, Kazaa, and Bittorrent ports, plus a few on NetBIOS, RPC, & SQL Server. They came from a wide range of machines, although many appeared to originate in Germany. My machine has a dyndns.org address though it's not publicised. Would this kind of activity just be from hitting random IP addresses, or does the dyndns.org presence make it more likely to be probed?

Maybe it's irrational, but I can't help feeling that if port scanning is this intense, eventually someone's going to find a way to break or compromise the machine!

Rick Jones

[RayG]

My box got hammered by various probes before I set up with dyndns so I doubt their service has much to do with the activity.

The majority of "hits" on my machine appear to be the result of random probes from infected Windows boxes. Only a tiny fraction of the illicit activity appears to be a concerted effort to breach my security. And most of that comes from my isp's "security scanner".

Keep your box up to date and you shouldn't have any problems with security.

[Reinhold]

Rick,

Far from trying to give you a (false) sense of safety
But remember: What you see is the POSITIVELY working firewall !

>>8 per min
>>
Plainly ignore accesses to DPT=135 ... at least until the last XP user has installed his patch.

>>closed-port hits I recorded were almost all on the FTP, Kazaa, and Bittorrent ports...
>>
Which probably says more about your other ISP customers then anything else .-)
Those accesses mostly try to contact the _previous_ user of your current IP
(or someone inside your net who did switch off his client

Now what's really left ?

Note1: Quiet a few "portscans" aren't really. If you have a user inside that frequents
IRC he/she will lead to a open-proxy scan of your server!

Note2: In my case I have a single user who's emails daily results in something that seems to be a portscan from somewhere else right afterwards ... but in reality they forward and another ip just identd's his mailer, then check that source for open proxies.

I agree with Ray that "dyndns" is most likely not to blame. After all the current ip you have (and which "they attack") is one out of the block of your isp and scanning "dyndns-records" doesn't seem to be among the hobbies of script kiddies...

The latter may (besides the popularity of some filesharing tools in certain countries winmx=japan, emule,bittorrent=germany kazaa=us,uk???) also be the reason why you find port accesses from certain countries. Script kiddies seldom will mess inside their home isp's block but rather try 212.73.244.51 in Crowthorne, Berkshire or the like ...

Take care (and if you worry, worry about what you don't see M8 .-)

[Rick Jones]

Thanks for your thoughts. Confirms my expectation that dyndns is not really a factor. The "previous allocated IP" makes sense - I hadn't considered that. It's now been running over 3 weeks without any IP change so maybe I'll turn logging on again and see how it looks.

>> Take care (and if you worry, worry about what you don't see M8 .-) <<

Actually that was the real point of my post... the fact that I can't see possible unexpected activity on the open ports. I'd still like a way to monitor what's going on there.

Cheers
Rick