Security Incidents mailing list archives
Re: anyone else seen an increase in sunrpc scans these days?
From: Ignacio Machin <imachin () CI CL>
Date: Mon, 22 Jan 2001 09:45:16 -0600
With ipchains in a linux server you can do sort of this: ipchains -I input -p tcp -d your.ip.address/32 111 -j DENY -l the -l param. log the discarded packets to /var/log/messages, there u can find them, if u don't like to purge your logs u can use some packages like logcheck to receive a periodical email with the reports. Also I suggest u to block ALL your unused ports , my configuration has the entries for the used one, and at the end a line like the above but without port number denying all the connections and logging them ----- Original Message ----- From: <razor () LDC RO> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, January 18, 2001 4:51 PM Subject: Re: anyone else seen an increase in sunrpc scans these days?
On Tue, Jan 16, 2001 at 10:58:15AM +0100, Digital Overdrive wrote:[requoted] Just one question: How do you detect these scans ? I can't find anything in my logs, but I don't have programs like portsentry running. What can you (all) advice me ?ipfilter here, on a freebsd box. /etc/ipf.conf has something like -------------- pass out quick on ed0 proto tcp from internal_net/24 to any flags S/SAFR
keep state
pass out quick on ed0 proto udp from internal_net/24 to any keep state block in log quick on ed0 all <- this is the line that
gives me all messages.
--------------- I use plog (part of the ipfilter package) to generate reports on scans. ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor () ldc ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here."
Current thread:
- Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Brian Taylor (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Matthew Hallacy (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Devdas Bhagat (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 15)
- sunrpc / wu-ftpd worm ? Mihai Moldovanu (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
- Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)