Security Basics mailing list archives
RE: what should I do when....
From: "Sergio Castro" <sergio.castro () unicin net>
Date: Mon, 7 Jul 2008 20:26:02 -0500
What Internet cops should I call to defend me from Chinese hackers Philipe? Because just last night my 1025 and 1026 ports where getting scanned from a Chinese IP address. "Bullet-proofing" your systems is as easy as using a firewall. If you know what you are doing, you have nothing to fear from port scans and brute force attacks. The only true danger would be a DDOS, but unless you are a high profile website, such an attack is unlikely to happen. If you DO have a high profile website, there are precautions you can take against DDOS too. Jorge, you may want to check out the Internet Storm Center, where you can see just how common port scans are: http://isc.sans.org/top10.html Regards, - Sergio -----Mensaje original----- De: Rivest, Philippe [mailto:PRivest () transforce ca] Enviado el: Lunes, 07 de Julio de 2008 01:16 p.m. Para: Sergio Castro; Jorge L. Vazquez; security-basics; security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se curityfocus.com; security focus listbounce Asunto: RE: what should I do when.... Not everyone is BULLET PROOF :) If your house has metal doors and your windows have steal frame behind. If you see a potential a strange looking men in a cars in front of your house at 2am with a flash light knowning his been there for 3hrs. Do you think you should call the cops are you will estimate that they are too lazy and just take a chance that you have locked all your doors and windows? I do think I would call and take a bat in my hands. Do the same with your systems! They are ur babies after all :) Merci / Thanks Philippe Rivest, CEH Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. -----Message d'origine----- De : Sergio Castro [mailto:sergio.castro () unicin net] Envoyé : 7 juillet 2008 14:04 À : Rivest, Philippe; 'Jorge L. Vazquez'; 'security-basics'; security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se c urityfocus.com; 'security focus listbounce' Objet : RE: what should I do when.... If your ports are properly stealthed, and you have scanned your systems and have no vulnerabilities, you have little to fear from scans. Now, if your ISP pays attention to you and fights for you and does something about all those scans coming from China, good for you. You have a really good ISP. Regards, Sergio -----Mensaje original----- De: Rivest, Philippe [mailto:PRivest () transforce ca] Enviado el: Lunes, 07 de Julio de 2008 12:53 p.m. Para: Sergio Castro; Jorge L. Vazquez; security-basics; security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se curityfocus.com; security focus listbounce Asunto: RE: what should I do when.... This is not a good practice. If you just tolerate brute forcing and scanning you are on the wrong track. Imagine if the network usage would double or triple because of these behavior. When will you start to report this to your ISP? When will you start to pressure them that they have clients that need & WANT a secure service (ISP)? As I stated, you should follow your internal procedure, hardened you device after your investigation (&before also..) and contact your ISP. When you have a contract with your ISP you should have a contact for *emergency*. Contact him or normal enterprise service level and have them take a look at the situation. Not doing anything is just accepting that you can be probe and that's not very wise. **Also note that if the guy whos probing you knows nobody ever contacts the ISP for investigation.. do you really think his gonna do nice and limited (rate) scans? His gonna pop everything he has against you to do a full & extensive & complet scan. Merci / Thanks Philippe Rivest, CEH Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Sergio Castro Envoyé : 4 juillet 2008 19:51 À : 'Jorge L. Vazquez'; 'security-basics'; security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se c urityfocus.com; 'security focus listbounce' Objet : RE: what should I do when.... Hi Jorge, My recommendation, other than make sure your public IP systems are properly hardened, is to do nothing. Continuous scans and brute force login attempts are the norm on the Internet. For every ISP that pays attention to your complaints, 10 will ignore you. - Sergio -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Jorge L. Vazquez Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m. Para: security-basics; security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se curityfocus.com; security focus listbounce Asunto: what should I do when.... for the last 2 days I've been getting lots of connections attempts on my firewall logs(ipcop firewall), from a specific ip based in Canada, the log is showing a * * NEW not SYN? it seems that someone is trying to initiate a connections, or may be a scan. Although the good thing is that the firewall is detecting them therefore stopping them, I'm getting worried of hacker activity, I've already done ip lookup, and dns whois query both of those point to ip and host in Canada it seems to be a company as I got their public website and also private network.....could anyone advice me what's the proper course of actions in this case?.... thanks Jorge L. Vazquez www.pctechtips.org __________ NOD32 3243 (20080704) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com __________ NOD32 3244 (20080705) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com __________ NOD32 3248 (20080707) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com
Current thread:
- what should I do when.... Jorge L. Vazquez (Jul 04)
- RE: what should I do when.... Rivest, Philippe (Jul 04)
- RE: what should I do when.... Sergio Castro (Jul 07)
- RE: what should I do when.... Rivest, Philippe (Jul 07)
- RE: what should I do when.... Sergio Castro (Jul 07)
- Message not available
- RE: what should I do when.... Sergio Castro (Jul 08)
- RE: what should I do when.... Weir, Jason (Jul 09)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 09)
- Re: what should I do when.... Adriel Desautels (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Rivest, Philippe (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- RE: what should I do when.... William Mohney (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- RE: what should I do when.... Rivest, Philippe (Jul 07)