I'm just asking because my servers have been hit with more scans in the last 12 hours than they have in the last 3 months.

I've just let it slide so far, but I think the next one that hits will have a nice email sent to their ISP.

Its halloween, maybe some people are tricking before they go treating...

It could be an internet worm scanning your system to get in. I've noticed a strange connection to my servers through netstat -nl.

tcp 0 0 207.70.170.113:80 65.139.124.246:* SYN_RECV

It's the only ones that foreign address is an IP instead of the normal 0.0.0.0:*.

Tazzman, is it from one IP or from diff IPs?

maybe you're or one of your customers is a target and scanning all servers on your subnet

Different IP's, about 5 of them. Seems to have stopped now. The system is set up to block them anyway if a scan is detected.

auto scan blocker?

wht kind of software is that ? :)

Originally posted by Bashar
auto scan blocker?

wht kind of software is that ? :)

Bastille/psad does this, I assume other firewalls do, and intrusion detection systems.

I agree with John; Bastille/psad is a very good program to block those. However, I must warn you to be very carefull when you configure it. Bastille can damage system config files if you get knocked off the net, or out of ssh, during final configuration. We've had systems become unbootable due to damaged config files caused because of the reasons I stated.

May I cite Phrack #53 (http://www.phrack.org/show.php?p=53&a=13) :D

"... A typical action is to block the attacking host (re-configuring access
lists of the firewall, or similar). This leads to an obvious Denial of
Service (DoS) vulnerability if the attack we're detecting is spoofable
(like a port scan is). It is probably less obvious that this leads to DoS
vulnerabilities for non-spoofable attack types, too. That's because IP
addresses are sometimes shared between many people; this is the case for
ISP shell servers and dynamic dialup pools. ..."

Portsentry (http://rpmfind.net/linux/RPM/contrib/libc6/i386/portsentry-1.0-4.i386.html) is such a "detector". Be careful in use, e.g. write your nameservers and your gateway into the whitelist, not to get your server "cut off" the net!

Another severe problem is the growth of the blocking list, so I wrote a seperate tool to minimize this (attool (http://www.buchzik.de/forum/read.php?f=4&i=11&t=11), a Scheduled- Job commandline-wrapper): every event in Portsentry fires two (hmmm or three? ;)) commands; one to set the iptables-rule, and a second to delete it after a month ...


Michael

I'm using PSAD, indeed. Thanks for the tip on adding the server IP's to the whitelist, will do so shorty.

Might have a look at your attool too.