Port Scanning Issues

[chrismfz]

From yesterday afternoon (GMT+2 Greece) till today (and goes on..)
I have dozens of email alerts of port scanning issues.

Just in the first 4 Hours I got more than 20 emails alerts of port scanning and all of these with different source IP. Others from USA,
others from Russia, others from Taiwan, others from China and so on...

Anyone else have the same problems or it just my little box ?


Regards,
Chris

[Spathiphyllum]

That's the reality of the internet. While it's always possible that your particular site/node is being targeted, say from a bot army, it's not likely. You're most likely just suffering from merely having a presence on the internet. It matters not whether you have a mail server, web server, router, PC, etc. You are being scanned for exploits 24/7. That will continue... higher some days, lower on others.

How to combat it? Add rules to your firewall to block the scanning IPs or netblocks completely. Review your logs/emails diligently - for the worst offenders especially. System administration is part of webserving, unfortunately.

[chrismfz]

I have rules. Server blocks automatically every attempt.
And this is normally about 5 to 10 email alert for about 10-20-30 scans per day.

I just wondering if someone else has the same problem yesterday or today because I got 500+ scan emails in one day only. Not just 5 or 6 or 10 as usual...

[thisisit3]

I've disabled email alerts for port scanning and other similar attacks, they are just useless since iptables permanently blocks them all on arrival (portsentry, etc).

These scans and attacks usually happen in masses when a new or 0-day exploit is uncovered and released to the relevant people. So its nothing to worry about unless you have a vulnerable server (running windoze for example).

[Spathiphyllum]

I just wondering if someone else has the same problem yesterday or today because I got 500+ scan emails in one day only. Not just 5 or 6 or 10 as usual...

In that case, no. At least not yet anyway.

I checked my logs for the past two days and had only one significant repeat offender with about 90-100 attempts to access my email server. It was from hinet.net which is the source of >75% of the email system scans I see on my node. China (and Taiwan) via APNIC netblocks has an overwhelming lead on cracking and system scans on the nodes I administer. I pretty much wall China off whenever one of its IPs appears. China's notorious for internet espionage and American intellectual property violations.

[thisisit3]

Its easy, just grab a copy of China's and Taiwan's IP netblocks and copy/paste them in /etc/spammeripblocks and you'll never get a single spam from them

That implies that you don't have any legitimate users from those countries, but since none of my clients do i've never been happier!

If you want, you can also apply those netblocks in iptables, but that may slow down packet filtering, since they can be rather large (mine are over 4000 net ip blocks and netmasks).

[Pawel Kowalski]

So its nothing to worry about unless you have a vulnerable server (running windoze for example).

*cough* http://www.us-cert.gov/cas/bulletins/SB08-252.html *cough*

About a dozen linux exploits and not a single "windoze" one . In fact that's been the pattern at us-cert for a few months now.

[Vin DSL]

Heh!

Somebody/something has been attempting SQL exploits against my site, 2-3 times a day for a few weeks now.

As said above, goes with the turf...

[thisisit3]

About a dozen linux exploits and not a single "windoze" one . In fact that's been the pattern at us-cert for a few months now.

*cough* windoze exploits are not released by M$ unlike open source software *cough*

you just see them in the next "Windows Update" which could be delayed by up to a month or more and in the mean time all hell breaks loose in the windoze world...

in the open source world, exploits are public and fixed nearly at the same time they are found.

[Frank Broughton]

thisisit hits a home run.....

[Pawel Kowalski]

*cough* windoze exploits are not released by M$ unlike open source software *cough*

you just see them in the next "Windows Update" which could be delayed by up to a month or more and in the mean time all hell breaks loose in the windoze world...

in the open source world, exploits are public and fixed nearly at the same time they are found.

I'm not going to pretend that I know how patches are dealt with in linux, I don't use it enough to comment. I just think it's a little silly for you to claim that windows is by default a vulnerable server. Windows is by no means perfect, but neither is linux. There are millions of windows servers online in this world, most are doing just fine . In fact most of our government networks are ran behind windows, if the OS was as vulnerable as you seem to think it is I doubt that would be the case.

[thisisit3]

Governments (including the US, most of European and many eastern ones) run windoze because of politics.

Billy Gates didn't do world wide tours for fun, i don't work for the US government but i do know that many people who run it are not stupid. Enforcing windoze on foreign countries/governments is imperative for US foreign policy.

But lets not go down that road...

Still, windoze is more vulnerable and less stable operating system than UNIX derivatives, for many reasons. Lets be fair, windoze is at a disadvantage because UNIX has been around 20 years longer and had the time to be hardened against multi-user attacks, unlike windoze having its roots from the DOS era.

I've been around micro$oft for many years and since the NT/2000 era the NT kernel and windoze core had copied code and entire libraries from UNIX in order to make it what it is today.

Unfortunately, windoze is still behind in the race, even with Vista and the greater security (user verification, hardened memory protection, etc) it still lacks important security features that *nix operating systems had for years. Linux isn't sitting still, recent kernels/distros with SELinux have made Linux an operating system thats protected against unknown/undiscovered attacks.

You may also look at the OpenBSD history, an operating system exploit (not user land) hasn't been discovered since... erm.. well its been too many years i don't even remember when...

So yes, those of us who have been around since the 70's and coded for all sorts of operating systems will easily tell you that windoze is one of the most vulnerable operating systems. At least Vista has made some improvements, too bad IE7 is so buggy.

At the moment a 0-day exploit sells for over $10,000 in the market... you can't find that in a Linux exploit

oh well, here i'm rambling again... teaching those new kinds on the block a bit of a history lesson...

thisisit3 wobbles into the distance with his cane, while stroking his Santa-like beard... thinking of the ancient days of punch cards, 300bps modems and VT220 dump terminals...

[Pawel Kowalski]

But we are not talking about Vista, we are talking about server versions of Windows.

My point in regards to the goverment wasn't about the politics of it, it was that some of the worlds most secure national laboratories use windows for their network. If windows was in anyway insecure they would have found a different solution or our nuclear secrets would be in some evil hands.

And I am in no way knocking linux security, I am simply making the point that when it comes to servers windows has grown to be just as secure. Sure, exploits show up, just like they do for linux. That's life.

[thisisit3]

Server versions of windoze don't differ from mainstream versions, same code different "applications" on top of it.

Many sensitive places use windoze, but thats not because windoze is secure, its because some executive doesn't know better and IT is forced by that executive to use windoze. Other times the decision is done by IT because thats what they have been taught to use from university. Its a bad decision that sometimes causes major issues, like when a navy battle ship was left dead on the sea because its windoze 2003 servers crashed.

[Pawel Kowalski]

Server versions of regular windows do vary greatly. One of the biggest flaws in windows is when people browse the internet. You don't do internet browsing on a server OS.

I'm not sure I know which case you are refering to about a single server crash stopping an entire navy ship. But if they didn't have a redundant system in place that's hardly an issue that would have been resolved by switching to linux. Having hosted my web site on linux for over 9 years I know for a fact that it can crash from time to time too.

And I think you are still missing my point on windows being used in highly secure enviroments such as Los Alamos National Labs. The point I am making has nothing to do with politics. The point is our nuclear secrets are safe, and these secrets are stored on windows servers. And these networks are ran by some very smart people and contrary to your claim I do think that they know very well what they are doing. You need years, if not decades of experiance to be get the clearance to work in that kind of enviroment, I wouldn't blow these people off as stupid because they chose windows as opposed to linux. And that's not to say that linux has no role in those enviroments, it has a very large role (epics is ran on linux) but the entire backend of these networks, the part that needs to be the most secure, is ran on windows.

Anyway, we'll probably never agree on this. But take it from someone that has used windows for a long time (I will admit it's probably no where near as long as you've worked with linux) windows is a perfectly good server OS and is by no means vulnerable by default as LANL, Sandia National Labs, the white house, and other secure facilities have proved.

I would actually be interested to know what features you think make linux a lot more secure but I don't want to divert this discussion, I think I've already done that enough.