Re: A slap on the wrist...?

["Greg S. Wirth" <greg () beldamar com>]

Hello...
I admin about 50 boxes from 3 different companies.
I believe that tracking down every, or any, scans is a waste of time.
I would say 75% of the time, the address that you track back is either
not valid or is DHCP'd and results in tracking the wrong person.
I think a lot of people get scared and slightly overreact to scans of
their systems.
If people secured their systems, they would not be vulnerable to what
people are scanning for.
I also get calls from many of my clients with comments like "I got a
log message saying i was scanned, what do i do??"
I usually tell them to just let it go, as it's a waste of time to do
anything about it, as my systems are pretty much secured.
Those systems that arn't secured, in my opinion, deserve what they may
get, because they haven't put enough money into finding a good admin
that can keep up with all the hacks and exploits.
The only time i may track someone down is when they make repeated
attempts to exploit something.
This is then, in my opinion, worth the time to track them
down. But even then, if you happen to get them dropped by their
current ISP, they would just use another hacked account, or dig up
another ISP.
This mail may seem rambling, but i haven't slept but 4 hours in 2
days, and been living off coffee, Pepsi, and those damn sandwiches
from 7-11...So forgive me please.
I hope you all understand what i am trying to say.
In the end, scanners can't hurt you, unless you aren't secure.
Putting time into trying to do something about it takes away from time
you should be putting into securing your systems.
Enjoy!


Thursday, August 31, 2000, 12:19:12 PM, you wrote:
> > I still maintain that if you see a scan with fairly obvious malicious
> > intent and you have the time (which probably most of us don't), report
> > it.  You may well be doing someone the favor of letting them know their
> > box has been compromised.  This isn't trigger-happy, this is seeing the
> > neighbor's kid trying to break into cars, however incompetently, and
> > giving the neighbor a friendly call knowing they probably don't want their
> > kid doing this.  Personally, I'd want to know.
SS> Generally what I do when I get a port scan is try my best to track it down
SS> to a source using ARING and nslookup.  More often than not the source is
SS> some dynamically assigned adress on some huge network and is almost
SS> impossible to trace to an individual.  Ocassionally though I have had some
SS> incidents go rather well.
SS> One time I saw somebody trying to connect to RPC on my box which is very
SS> much firewalled.  This time the trace yielded a static IP address for
SS> somebody's mail server.  They were running a very old linux kernel (2.1.X)
SS> and apparently hadn't done much for security patches and of course they
SS> had been owned by somebody. I let them know what happened and they were
SS> very greatful to know what had happened and even asked me for advice on
SS> how to prevent it.
SS> So, if you have the time, it's nice to track even random skip kiddy
SS> scans.  It probably doesn't matter to you but it might matter to the
SS> person who owns the box on the other end of the scan.
SS> ---Steve



- --
Greg S. Wirth
System Administrator
CTO http://www.shoplasvegas.com
CTO http://www.beladamar.com

FreeBSD Help http://www.pclv.com/ruch/index.html
-// FreeBSD: The Power To Serve \\-