[olug] stopping those annoying @home scans
puzzled
puzzled at home.com
Wed Jul 12 01:18:54 UTC 2000
OK, I left tcpdump running for a day or so and I found a bunch of this stuff
19:41:07.613734 < authorized-scan.security.home.net.54008 > cx54647-b.omhaw1.ne.home.com.nntp: S
412741665:412741665(0) win 8760 <mss 1460>
19:41:08.199975 < authorized-scan.security.home.net.54008 > cx54647-b.omhaw1.ne.home.com.nntp: R
412741666:412741666(0) win 8760
the host involved is 24.0.94.130. I suggest adding the following lines to your ipchains
configuration to discourage this sort of privacy invasion.
ipchains -A input -s 24.0.94.0/24 -j DENY
I run a modified pmfirewall install so I added the following line to
/usr/local/pmfirewall/pmfirewall.rules.local
$IPCHAINS -A input -s 24.0.94.0/24 -d $OUTERNET -j DENY -l
A quick look at arin.net shows that NETBLK-ATHOME covers 24.0.0.0 through 24.24.255.255. A more
aggressive blocking approach would be to block every thing except Cox's mail, Cox's news, and your
own gateway.
ipchains -A input -s mail.omhaw1.ne.home.com -j ACCEPT
ipchains -A input -s news.omhaw1.ne.home.com -j ACCEPT
ipchains -A input -s <your gateway> -j ACCEPT
ipchains -A input -s 24.0.0.0/12 -j DENY
ipchains -A input -s 24.16.0.0/13 -j DENY
If you want to find out who is scanning you and you've got a single NIC redhat box try this as
root
cd /mnt
mount cdrom
cd Redhat
cd RPMS
rpm -i tcpdump*
tcpdump port 119 > ~/nntpprobe.txt &
and let that run for a day or so then examine /root/nntpprobe.txt and see who is nosing around.
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list