Request for off line security help

Ben Beeson beesond001 at hawaii.rr.com
Tue Nov 13 00:38:00 PST 2001 

Aloha all,

	I didn't mean to stir up quite such a hornets nest!!!  Chris, I hope you 
or your company are not offended by my question.  I did not intend to 
imply that something untoward was about, I honestly didn't know what was 
up.  Because I needed some help and also wished to respect the good 
intentions of those involved through the "first, do no harm" principle, I 
asked for an off-line look.     

	To expand on several of the issues on the list, I'll offer the following 
with good intentions and hope that it is well received.  
	
	Yes, I get scanned all the time.  Most of the scans I get usually fall 
into the "ignore" box and I send them off to /dev/null.  You know what I 
mean, some windows user boots up and his box checks the "network" for 
available file and print services. Stuff like that...  

	Occasionally, I get a more serious scan or series of scans against my 
box.  If something about it strikes me as unusual, I usually drop a note 
to the owner of the IP address block and ask them to look into it.  
Sometimes I get an answer back, but usually I don't.  Most of the answers 
I get back are very informative.  Once in a while I even get an answer 
that just makes me think...  I always learn something from the answers I 
receive though.  In any case, the scanning usually stops after that 
either because I fixed it, or somebody else fixed it.     

	I don't think all portscans are bad, but sometimes it's hard to tell the 
good ones from the bad ones (especially if like me, your knowledge is 
limited.)  For example, I exchanged e-mail with one particular ISP 
provider that made a habit of reverse scanning addresses making certain 
connections to check for the presence of a particular windows hack that 
was troublesome to their business.  They further went on to state that 
they would help customers rid their systems of the particular infection 
they were concerned with if it was found.  I thought that was kind of 
cool and thought, "gee -- more guys should be so civic minded." I then 
changed my firewall to ignore their specific scan.  I learned a lot from 
that, especially about firewall rules and good will.  

	The idea of pushing material likely to be requested to a "nearby" server 
in the "network topology" makes sense.  I can see where visiting a web 
site may attract the interest of a business and cause them to see how to 
better serve the customer. After all, business's now have the technology 
to know when I am looking at their web site. (As opposed to whether or 
not I used the Sunday paper to light the BBQ grill before I read their 
ad.)  This may cause them to "push" the cache of potential files to a 
nearer server to quicken the web's response to a query.   

	I have to ask a question though. ((Please realize that this is an honest 
question from a guy that drives jets for a living and ***plays*** with 
Linux in his spare time.  This question is not intended as an 
insinuation, it's just an expression of what is going through my mind.))  
My question is this, "Is a full portscan necessary to find out what they 
need to know about where my box is and what it may be able to provide to 
help their business?  Would an address lookup be enough, or does this 
business really need to know if I run a time server (for example)?"  I 
don't know the answer. I don't even know all the issues attached to these 
questions... (No answer needed from the list BTW.) Anyway, it has been 
quite a while since my box got scanned as much as this one from the same 
IP address.  

	That leads me to the initial question I posted to the list.  I didn't 
know what the scan was, what it represented, or why it was there.  I do 
know that it was a pretty big scan compared with others I see, so I asked 
the NOC to look into it.  They did, and I thought the reply I got was 
about as different from any other answer that I had ever received as it 
could be. I accept the NOC given reason at face value, but I had never 
seen anything quite like this, so I asked the list for someone to help me 
with an off-line look to help me figure it out.

	What did I learn?  Three things so far: 
		- There can be good business reasons for scans beyond system security. 
		- I am reassured that there are some very generous and helpful people 
on this mailing list, and I am very grateful for that -- thanks again to 
all of you.  
		- I also learned that I need to read up on stateful firewalls before I 
upgrade my box.  There may be a way to "ignore" the good scans...

Respectfully,

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20011113/a9632994/attachment-0001.htm>

More information about the LUAU mailing list