Re: anyone else seen an increase in sunrpc scans these days?

[Ignacio Machin <imachin () CI CL>]

With ipchains in a linux server you can do sort of this:

ipchains -I input -p tcp -d your.ip.address/32 111 -j DENY -l

the -l param. log the discarded packets to /var/log/messages, there u can
find them, if u don't like to purge your logs u can use some packages like
logcheck to receive a periodical email with the reports.
 Also I suggest u to block ALL your unused ports , my configuration has the
entries for the used one, and at the end a line like the above but without
port number denying all the connections and logging them


----- Original Message -----
From: <razor () LDC RO>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 4:51 PM
Subject: Re: anyone else seen an increase in sunrpc scans these days?


> On Tue, Jan 16, 2001 at 10:58:15AM +0100, Digital Overdrive wrote:
> > [requoted]
> >
> > Just one question: How do you detect these scans ?
> > I can't find anything in my logs, but I don't have programs like
> > portsentry running. What can you (all) advice me ?
>
> ipfilter here, on a freebsd box.
>
> /etc/ipf.conf has something like
> --------------
> pass out quick on ed0 proto tcp from internal_net/24 to any flags S/SAFR
keep state
> pass out quick on ed0 proto udp from internal_net/24 to any keep state
>
> block in log quick on ed0 all               <-  this is the line that
gives me all messages.
> ---------------
>
> I use plog (part of the ipfilter package) to generate reports on scans.
>
> ------------+------------------------------------------
> Alex Popa,  |  "Artificial Intelligence is
> razor () ldc ro|         no match for Natural Stupidity"
> ------------+------------------------------------------
> "It took the computing power of three C-64s to fly to the Moon.
> It takes a 486 to run Windows 95. Something is wrong here."